topic Re: Replace Secondary Firepower when in HA in Network Security

Replace Secondary Firepower when in HA

Garry Cooper — Mon, 08 Aug 2022 15:23:05 GMT

Have to replace a faulty secondary firepower, I am trying to delete the secondary from FMC that is setup in HA , but I cannot find the correct information to delete this.

I can click the bin button, but get this error "Confirm Delete" see below, and I am not sure ho to proceed.

But I am guessing the primary will run as it is then I should be able to delete the secondary then re-add the new firewall.

TIA

Re: Replace Secondary Firepower when in HA

balaji.bandi — Mon, 08 Aug 2022 15:33:01 GMT

follow below thread :

https://community.cisco.com/t5/network-security/ftd-how-to-put-a-reimaged-ha-member-back-to-the-ha-pair/td-p/3831973

Re: Replace Secondary Firepower when in HA

Marius Gunnerud — Mon, 08 Aug 2022 18:20:21 GMT

Well the error message is telling you how to delete the high availability configuration. You go into the CLI and issue the command "configure high-availability disable". I would suggest performing a device backup of the primary / active FTD before doing this, that way you will have a quick way back should the current active happen to lose its configuration.

Re: Replace Secondary Firepower when in HA

Sheraz.Salim — Mon, 08 Aug 2022 20:21:51 GMT

can click the bin button, but get this error "Confirm Delete" see below, and I am not sure ho to proceed.

In order to replace the faulty appliances you need to break the HA pair. Therefore your approach is right but its understandable as these appliances are in the production so you want to be extra carefull. having said that, its safe to press the "Confirm Delete".

But I am guessing the primary will run as it is then I should be able to delete the secondary then re-add the new firewall.

you are absolutely correct. once you break the HA pair. The Primay active firewall stay in production and service/serve the traffic. it will not impact on your production traffic in any means. There is no need to go into CLI of the FTD and issue the command. FMC do all labour work for you.

NOTE: When we break the HA pair only the failover configuration are removed on both firewalls. by default, Firewall is in always in "Secondary" mode. That is why when we steup the HA pair we manually setup one appliance as "Primary".

Here Cisco official document explain the process of breaking the HA-FTD pair.

Once you get your new appliance FTD you need to make the HA-pair again. In that case make sure you make your primary appliance in production as primary. in case if you make new appliance primary, this appliance will wipe your production configuration. in that case in order to get the issue fix you have to apply the FTD restore. Just a caution thought to mentioned this. All the best.

Re: Replace Secondary Firepower when in HA

manofsteel03 — Tue, 09 Aug 2022 05:38:35 GMT

I agree with @Sheraz.Salim as we have ran into this issue in the past with one of our HA pairs. Take backup of Primary, make note of all the settings of the secondary instance on the chassis, break HA pair and then delete secondary from FMC. Delete instance from chassis, reinstall new instance with same settings, bring back into FMC and rebuild HA pair.

Re: Replace Secondary Firepower when in HA

Chakshu Piplani — Tue, 09 Aug 2022 07:27:37 GMT

Your approach is correct.

Before you break the HA, make sure to take a screenshot of the interface page, so that once you re-add another unit as HA, you have all the info such as secondary IP address, any specific mac address entered etc.

Regards,

Chakshu

Re: Replace Secondary Firepower when in HA

Garry Cooper — Tue, 09 Aug 2022 07:39:54 GMT

Thanks for the replies, but tried this morning to delete the secondary ftd but get this error.

Error

The Device NCC-Civic-FTD-HA cannot be deleted because the following VPN Configuration(s) refer to this device.

See attached image.

Re: Replace Secondary Firepower when in HA

Sheraz.Salim — Tue, 09 Aug 2022 08:26:08 GMT

could you issue the command configure high-availability disable on the Primary FTD.

Marvin answer a similar post with similar issue.

https://community.cisco.com/t5/network-security/cannot-delete-a-ftd-device-from-fmc-when-l2l-vpn-tunnel-is/td-p/4506257

You can capture all of the relevant VPN parameters from either screenshots via a "show run" from the cli.

If you need the preshared key you can go to the lina cli (system support diagnostic-cli) and use "more system:running-config".

Then you can remove the config in FMC and delete the device and use the parameters you've gathered to recreate it later on the new device. It only takes 10-15 minutes to do so.

Re: Replace Secondary Firepower when in HA

Marius Gunnerud — Tue, 09 Aug 2022 08:49:41 GMT

first off make sure you have a complete backup of your FMC and FTD devices before you begin.

unplug the failed FTD data interfaces from the network (if the cables are not marked, i suggest either marking them or at least taking note of which port each cable connects to on the FTD and the switch)
Via CLI issue the command configure high-availability disable on the failed device.

Re: Replace Secondary Firepower when in HA

Garry Cooper — Wed, 10 Aug 2022 07:53:49 GMT

Found a different way to get the FTD added to FMC

By changing the IP in the Device settings, allowed me to add the device to FMC

See attached pic.

My new issue is now that I have the FTD in FMC it will not allow me to upgrade to same firmware as the primary.

Primary is 6.6.5.2

Secondary 6.6.5

Re: Replace Secondary Firepower when in HA

Marius Gunnerud — Wed, 10 Aug 2022 08:22:03 GMT

is the FTD still in HA remember that deleting it from the HA in GUI does not disable HA at in the firewall (as mentioned in the message you get when deleting the HA pair in GUI)? might be that you need to make the FTD a standalone, then upgrade, then add it back to the HA pair.

Re: Replace Secondary Firepower when in HA

Sheraz.Salim — Wed, 10 Aug 2022 10:26:40 GMT

As mentioned by @Marius Gunnerud you need to make sure prior to making the HA pair the same software version match on the FTDs otherwise the HA will not make a pair.

The 2 units in the HA must:

Be the same model
Have the same number and types of interfaces
Be in the same firewall mode (routed or transparent)
Have the same software version
Be in the same domain or group on the FMC
Have the same NTP configuration
Be fully deployed on the FMC with no uncommitted changes
Not have DHCP or PPPoE configuration in any of their interfaces
FTD devices in HA mush have the same license
HA configurations require two smart license entitlements; one for each device in the pair.

Re: Replace Secondary Firepower when in HA

Chakshu Piplani — Fri, 12 Aug 2022 20:10:58 GMT

If rest everything else is in place, and there is just the minor version mismatch, there is a way to install the update via root for the secondary device.

You will need to push the file 6.6.5.2 to FTD in path

/var/sf/updates/

using wget and then install it via command:

install_update.pl /var/sf/updates/<name of the upgrade package> --detach

e.g.

install_update.pl /var/sf/updates/Cisco_FTD_SSP_FP2K_Upgrade-6.6.1-91.sh.REL.tar --detach

You might want to get TAC support if you need assistance with this and you are unable to place the file in the directory /var/sf/updates

Regards,

Chakshu

Do rate helpful posts!

Re: Replace Secondary Firepower when in HA

Sheraz.Salim — Fri, 12 Aug 2022 20:49:42 GMT

instead of doing all this hassel from the FTD CLI. why not once the FTD is added in the FMC. Prior to making the HA pair push the minor patch update from the FMC update tab (you only need to download the minor software from cisco download and upload into the FMC). more save method without involving the TAC support when using the FTD CLI and things go wrong.

once the FTD update is done. processed to make the HA pair.

Re: Replace Secondary Firepower when in HA

Chakshu Piplani — Sat, 13 Aug 2022 07:09:33 GMT

Because Garry has mentioned this "My new issue is now that I have the FTD in FMC it will not allow me to upgrade to same firmware as the primary."

Regards,

Chakshu

Re: Replace Secondary Firepower when in HA

Garry Cooper — Mon, 15 Aug 2022 08:53:37 GMT

Just an update to my issue, so got Tac involved and they found an issue with FMC not synchronizing that was causing the issue me not allow the upgrade. Once fixed I could upgrade to same version as primary.

My issue now is I need to force break HA so I can get rid of the faulty secondary ftd this still present in FMC.

If I try to delete the secondary it throws and error about the VPN Config "The Device 'NCC-Civic-FTD-HA' cannot be deleted because the following VPN Configuration(s) refer this device." I have over 100 VPN's setup so not an option the just delete and redo,

Tac say I need to force delete, see image below.

Anyone know timescale on how long this will take.

Re: Replace Secondary Firepower when in HA

Marius Gunnerud — Mon, 15 Aug 2022 09:29:51 GMT

You need to log into the CLI and issue the command "configure high-availability disable".

I suggest that before doing this you have a complete backup of the FMC and FTD device.

If FTD has been removed from the network and it is just the presence of the FTD object in the GUI, then check the box for force and continue with the delete. It should only take a few seconds. But still make sure you have a full backup ready to be restored.

Re: Replace Secondary Firepower when in HA

Garry Cooper — Mon, 15 Aug 2022 09:38:24 GMT

Marius.

Thanks for the reply, just had an email from tac saying that it will take upto 20 mins, if I force the break ha..

But this totally defeats the object of having HA, if you have a working primary and you need to remove some simple ha config to re introduce a secondary, and this will cause service disruption.

Re: Replace Secondary Firepower when in HA

Marius Gunnerud — Mon, 15 Aug 2022 10:03:36 GMT

I dont see how this would take 20 minutes. I have never tried the "force" option but for a regular break it is just the deployment time.

Re: Replace Secondary Firepower when in HA

Garry Cooper — Tue, 16 Aug 2022 13:07:31 GMT

Just an update, got both firepowers back in HA.

Doing a Force does interupt traffic, but for only about 20 secs.

It then drops again after makeing HA again.