In the last day or so, I have had an issue with my firewalls and the secondary kept dropping offline. I have been on site for the last 4 hours and I could not see any reason for there to be an issue until I had a thought about STP and it appears that this is what was causing the issue, one of the ports on my switch was being blocked. I have disabled STP on both switches for a single port, that port is a trunk on VLAN 2 between my 2 switches. There are 2 other connection in the same VLAN on each switch and those being the outside interface of a firewall and the connection to my provider.
This doesn't feel right, but it also makes sense as to why I have been having issues. I am also not sure why this suddenly started happening yesterday with no changes from my end.
I am trying to understand if I just happened to have made it work when it should not or I actually fixed the problem and have not introduced a horrible issue somewhere.
The connections from my provider are running HSRP I believe. From what I can see, only 1 of my links is active at any time.
So with STP active, it appears it was blocking one of the ports and stopping both of the firewalls being able to see the active uplink so only the firewall on the same switch as the active connection from my provider would work. If I swapped the active firewall at this point, the active provider link was on the other switch and not until I disconnected the provider link in the other switch would it work.
After disabling STP, I can failover the firewalls however I want and because they both have access to the active provider link, they both work.
My concern is that I have had to disable STP on these ports and what is the impact of that. I had also expected the firewalls to know something was up but it seems that only occurs when the provider link goes down.
What gives!
No comments:
Post a Comment