topic Re: Firewall Active/Standby failover in case of Failover or state link in Network Security

Firewall Active/Standby failover in case of Failover or state link

Mit_har — Tue, 25 Apr 2023 04:33:23 GMT

Hi, I want to know if any or both of the Failover or state link between firewall failed which is required for HA configuration, which firewall will be active, How we can come to know that HA link between firewalls goes break to take the corrective action?

Re: Firewall Active/Standby failover in case of Failover or state link

Rob Ingram — Tue, 25 Apr 2023 08:21:11 GMT

@Mit_har if the failover/state link fails there will be no failover, so the current active firewall will remain active. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/high-availability.html

Monitor the firewall and individual interfaces using SNMP, this will alert you of the interface failure.

Re: Firewall Active/Standby failover in case of Failover or state link

DanielP211 — Tue, 25 Apr 2023 07:43:04 GMT

Hello inhamit,

No FW will become active, the FW's will test the other links before the split-brain scenario. I would still recommend you configure the failover link over a redundant link (in this case you have the option for redundancy on HA link). To monitor the interfaces use monitor ifname.

An example of config would be:

interface Redundant 1
member-interface GigabitEthernetX/X
member-interface GigabitEthernetX/X

failover
failover lan unit primary
failover lan interface failover Redundant1
failover replication http
failover link failover Redundant1
failover interface ip failover X.X.X.X XX.XX.XX.0 standby X.X.X.Y

Re: Firewall Active/Standby failover in case of Failover or state link

MHM Cisco World — Tue, 25 Apr 2023 08:08:17 GMT

Both exchange message through the other interface' when standby detects that specific percentage of monitors interface is not receive messages then standby will become active.

Here cisco recommends to faster detect failover and repair it' otherwise you will face splits brain.

Re: Firewall Active/Standby failover in case of Failover or state link

Mit_har — Tue, 25 Apr 2023 08:41:28 GMT

Can we have redundant link for both state and failover link? what is the difference between Failover and State link?

Re: Firewall Active/Standby failover in case of Failover or state link

MHM Cisco World — Tue, 25 Apr 2023 08:54:04 GMT

check above

Re: Firewall Active/Standby failover in case of Failover or state link

MHM Cisco World — Tue, 25 Apr 2023 08:53:38 GMT

ASA- Interface monitoring in failover and its impact - Cisco Community <<- cisco employe explain this better than me check link

Re: Firewall Active/Standby failover in case of Failover or state link

Mit_har — Tue, 25 Apr 2023 09:03:20 GMT

So the best way to have redundant link for Failover and State link between the firewall total 2 dedicated ports on each firewall. can we have redundant link for state link? Any config?

Re: Firewall Active/Standby failover in case of Failover or state link

MHM Cisco World — Tue, 25 Apr 2023 09:04:45 GMT

Firepower Management Center Configuration Guide, Version 6.4 - High Availability for FTD [Cisco Secure Firewall Management Center] - Cisco

you can use PO for failover BUT there is some note you need to check, see above link

for what different the different the failover link excahnge the config and heartbeat between two FW and status exchange the connection status (replication of traffic status)