topic Re: Cisco FMC/FTD Breaking HA in Network Security

Cisco FMC/FTD Breaking HA

IamSamSaul — Fri, 17 Sep 2021 19:35:45 GMT

Hi there,

I got a Cisco vFMC with two Cisco Firepower configured as HA pair. At present the Secondary unit is Active. We got an issue with the Primary unit and have to perform factory-reset. I got a couple of questions:

1) Do I have to break the HA configuration first and then reset the unit? Or I can perform a reset while the HA configuration is intact.

2) If I have to break the HA configuration (while the Secondary unit is Active), what will happen? Does the Secondary Active unit continue to function without any disruption?

I hope someone can help me with this issue. Any suggestion or advice will be highly appreciated.

Regards & Thanks,

Sam

Re: Cisco FMC/FTD Breaking HA

Milos_Jovanovic — Fri, 17 Sep 2021 20:36:59 GMT

Hi @IamSamSaul,

If you have backup of your FTD device, then follow the guielines from here.

If you don't have backup, then you can find guidelines here.

One note - I always like to hardcode MAC addresses because of this, as in HA, primary device is providing MAC address for active unit. If replaced, new primary unit will provide new MAC address, which can cause interruptions. For this reason, I always hardcode them, so I don't really care which unit is primary, as no physcal addresses are in use. I would advise to configure currently active MAC as primary before you proceed with rebuilding units (although I'm not sure you would be able to deploy new policy while one device is down).

BR,

Milos

Re: Cisco FMC/FTD Breaking HA

IamSamSaul — Fri, 17 Sep 2021 21:23:11 GMT

Hi Milos,

Thanks for your reply.

I don't have the latest backup. I'm not going to replace the unit. After
upgrading the unit I can't log into the cli. I read that I have to factory
reset the unit. Do I still have to hard code the MAC address because it
will be the same unit?

Regards,
Sam

Re: Cisco FMC/FTD Breaking HA

Milos_Jovanovic — Mon, 20 Sep 2021 05:46:46 GMT

Hi Sam,

Since you'll be using same device, I believe you don't need to hardcode MAC address this time, however, I would still advise it. This time you will just reimage device, but next time it might be HW replacement.

BR,

Milos

Re: Cisco FMC/FTD Breaking HA

vashan — Wed, 20 Oct 2021 22:17:03 GMT

Hi Milos.

I am facing the same problem on Device1. Can you describe the steps you used to fix the problem?

Description of my case:

I have two Cisco Firepower 2110 in HA Configuration. I tried to perform version upgrade from 6.4. to 6.6. I got Device2 (Standbyd device) upgraded to 6.6. But the Device1 (Primary) failed the update. And the Device1 i showing up in maintenance mode after i manually rebooted Device1 after upgrade failure. I cannot access the device using SSH. I can ping the management IP.