Redundancy or Asymmetric Routing Problems
IOS Firewall does not support router redundancy or load sharing among multiple routers; instead, it supports interface redundancy and load sharing. This means that if the request packet goes through router A, it must return back through router A. Otherwise, if CBAC is configured, router B drops the packets if router B receives them. If the packet leaves from router A serial interface 0 and returns on serial interface 1, if you have the same access-list 101 applied on both of the interfaces, the return packets will make it through and the connection will be established without any problem. This is because when CBAC creates a new channel, it installs the temporary access list entries on the interfaces used for the initial packet, but those same access lists may be installed on backup interfaces that provide additional paths to the same destinations. It is even possible to use CBAC with load sharing, if all the parallel interfaces are configured identically. If you configure the same access list and inspection parameters on two interfaces that are alternate paths to the same destination, connectivity should work. Remember to use the same access lists (with the same access list numbers) on both redundant interfaces. This works fine with dial backup for serial interface.