Details
In high availability, Active/Active cluster deployments, Floating IP addresses may be used for highly available virtual addressing that moves between devices in the event of a link or device failure. Typically, admins will configure a virtual IP address in the same subnet as the physical interface address. However, virtual addresses outside of the physical interface address network may also be used.
When a Floating IP address is configured in the same subnet as the physical interface, routing will automatically be in place due to the physically connected route created by the physical address configuration. In order to use a Floating IP address on a different subnet than the physical interface, routing will need to be explicitly added in order for forwarding to work. This can be accomplished by adding a static route to the network pointing to the interface as the next hop, or by using dynamic routing.
For example, ethernet1/1 is configured with a physical interface address of 10.0.0.1/23, and a Floating IP address of 192.168.0.1/24. The firewall will automatically have a connected route for the 10.0.0.0/23 network, but not the 192.168.0.1/24 network, so although it will respond to ARP requests for 192.168.0.1 it will not be able to route traffic on that network because the forwarding lookup would fail. Once a static route for 192.168.0.0/24 is added pointing to ethernet1/1, traffic will pass the firewall using the virtual Floating IP address on the 192.168.0.0/24 network.
owner: ggarrison