For branch offices with dual routers and WAN connections asymmetric routing causes issues with stateful packet inspection. Packets leaving through one router and returning through the other are dropped as the return router's stateful firewall knows nothing about them.
One way to address asymmetric routing with dual stateful firewalls is to place the firewalls behind the routers with both firewalls in the same L2 (see figure below).
The above solution requires more equipment at the branch offices (2x firewalls plus switches). To retain the benefits of a shared L2 between the routers and firewalls, I have tested the scenario below in GNS3. The router and stateful firewall (IOS Firewall) are combined in a single box using separate VRFs. The LAN-sides of the routers communicate with each other and the WAN-facing side of the firewalls over VLAN 666. Three HSRP groups are used: one for the router VRFs on their Fa0/0.666 interface, and two on the firewall VRFs, one for each interface. These HSRP groups ensure that packets will leave and return through the same firewall, though not necessarily the same WAN VRF.
This being an unconventional solution I would appreciate feedback. I know it works in GNS3, and presumably in an actual setup, but because I have not seen such a solution online or in books I assume there may be drawbacks. Aside from increased complexity and perhaps a hit in throughput is there a reason to avoid such a design?
Best Answer
Complexity is reason enough to use a simpler option if one is available. In this case, I'd recommend connecting each firewall to only one router and one Internet connection. GLBP would then be used for load balancing/fail-over. Tie GLBP to an IP SLA monitor for the Internet connection the router provides access to and you're finished.