https://community.cisco.com/t5/network-security/ftd-ha-packet-tracer-output/m-p/4166452#M1074733 <P>Could you issue show failover on the standby (active) unit just to verify the failover status.&nbsp; Also, Could you check the connected switch ARP table to verify that the standby FTD MAC address has been associated with the Active unit IP.</P> <P>Also, you say that the bug you posted applies to different devices, which devices do you have installed?</P> Wed, 14 Oct 2020 09:10:44 GMT Marius Gunnerud 2020-10-14T09:10:44Z https://community.cisco.com/t5/network-security/ftd-ha-packet-tracer-output/m-p/4166328#M1074727 <P>Working on a pair of 2130s running 6.2.3.12 and setup in HA.&nbsp; Having some issues with traffic passing from 1 interface to another even though the policies look correct.&nbsp; At present the secondary unit is the Active unit in the pair.&nbsp; If i go into advanced troubleshooting on the secondary (Active) unit and go through packet-tracer I get this result:</P><P>&nbsp;</P><P>Result:<BR />input-interface: Inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: Device_Management<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (fo-standby) Dropped by standby unit</P><P>&nbsp;</P><P>However if I run through the same packet-tracer on the primary (now Standby unit) I get this:</P><P>&nbsp;</P><P>Result:<BR />input-interface: Inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: Device_Management<BR />output-status: up<BR />output-line-status: up<BR />Action: allow</P><P>&nbsp;</P><P>I'll have access to some equipment tomorrow to actually get a packet capture for review but was curious as to why I'm seeing the results I am in packet-tracer.&nbsp; I saw a bug (<A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf72068/?rfs=iqvred" target="_blank">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf72068/?rfs=iqvred</A>) but that applies to different devices and these units aren't in transparent mode.</P> Wed, 14 Oct 2020 06:03:52 GMT https://community.cisco.com/t5/network-security/ftd-ha-packet-tracer-output/m-p/4166328#M1074727 mumbles202 2020-10-14T06:03:52Z https://community.cisco.com/t5/network-security/ftd-ha-packet-tracer-output/m-p/4166408#M1074730 <P>Never came across this before, but it looks like a bug to me. Based on my experience, the FTD 6.2.3.x is not stable and has a bunch of bugs. I would raise a TAC if upgrading it is not an option.</P> Wed, 14 Oct 2020 08:14:28 GMT https://community.cisco.com/t5/network-security/ftd-ha-packet-tracer-output/m-p/4166408#M1074730 Aref Alsouqi 2020-10-14T08:14:28Z https://community.cisco.com/t5/network-security/ftd-ha-packet-tracer-output/m-p/4166452#M1074733 <P>Could you issue show failover on the standby (active) unit just to verify the failover status.&nbsp; Also, Could you check the connected switch ARP table to verify that the standby FTD MAC address has been associated with the Active unit IP.</P> <P>Also, you say that the bug you posted applies to different devices, which devices do you have installed?</P> Wed, 14 Oct 2020 09:10:44 GMT https://community.cisco.com/t5/network-security/ftd-ha-packet-tracer-output/m-p/4166452#M1074733 Marius Gunnerud 2020-10-14T09:10:44Z https://community.cisco.com/t5/network-security/ftd-ha-packet-tracer-output/m-p/4166670#M1074746 <P>Thanks for the reply.&nbsp; Going directly to the FTDs the Primary unit was in fact the Active and the FMC was wrong.&nbsp; Forcing the re-sync corrected the status.&nbsp;&nbsp;</P> Wed, 14 Oct 2020 13:10:55 GMT https://community.cisco.com/t5/network-security/ftd-ha-packet-tracer-output/m-p/4166670#M1074746 mumbles202 2020-10-14T13:10:55Z