topic Re: FTD Failover in Network Security

FTD Failover

dijeshkeloth — Wed, 21 Oct 2020 05:02:56 GMT

Hi,

We have the following setup:

MPLS switch--Cisco FTD--Switch

Cisco FTD is configured in high availability mode. The primary FTD is connected to the primary MPLS switch and the standby FTD to the standby MPLS switch. Recently, the ftd failover happened and the standby ftd became active, however the MPLS switch did not failover as the link connecting the switch to the ftd was still up. Is there anyway to make the link down when the ftd is in standby mode?

Re: FTD Failover

Mohammed al Baqari — Wed, 21 Oct 2020 05:42:37 GMT

Hi,

The best option for full HA is to connect your switches using a trunk cable
and get full mesh. This means that primary FTD can communicate to
primary/secondary MPLS and same for secondary FTD. You can also use
stackwise if supported by the switches. This is the best design.

I don't recommend you to start using custom solutions to failover. Things
like EEM and tracking can be used as workaround but do it right to live
forever.

**** please remember to rate useful posts

Re: FTD Failover

balaji.bandi — Wed, 21 Oct 2020 07:26:25 GMT

we do see that kind of environment, some places they want to extend Layer 2 using the different path in the network layer2 switch

to meet the best do you have an alternative layer 2 paths for that? if not you need to use some kind of tracking, but Layer2 will be always up once side, others go down also. this is a bit tricky, as suggested you can use EEM script to keep monitor each side and shutdown or failover.

but it will have a small interruption of traffic.

Re: FTD Failover

AKK — Wed, 21 Oct 2020 08:25:38 GMT

Hi,

I would suggest to use the switch in stack for MPLS and in LAN side you can use both the switches connected via Trunk.

In this condition if case active firewall failover also you do not need to do switch side failover.

IN HA at a time only one firewall will be processing traffic and other will be in standby mode hence even it secondary firewall port is up also it does not create any issue.

Regards,

AKK

Re: FTD Failover

dijeshkeloth — Fri, 23 Oct 2020 06:51:06 GMT

Thanks All,

can you please share a sample EEM script that i can use?

Thanks,

Re: FTD Failover

Aref Alsouqi — Fri, 23 Oct 2020 08:25:26 GMT

I don't think using EEM would be recommended tbh, I think best practice would be as already mentioned to connect MPLS and FTD devices to the same switch or switch stack. That way, when failover happens, the traffic will still flowing out of the active MPLS, regardless which one is going to be.

Or maybe if you are pointing to a floating IP address for MPLS routes with HSRP or VRRP, you can ask your ISP to condition HSRP or VRRP to failover the MPLS circuit if they can't reach a specific IP behind your primary FTD.