topic Re: FTD HA - Unable to Deploy After Failover Link Broke in Network Security

FTD HA - Unable to Deploy After Failover Link Broke

elijahosunbajo — Wed, 21 Jun 2023 10:48:47 GMT

Hi Everyone,

We are in the process of deploying HA for 2 FTDs in our environment to go into production. Currently in the test phase, however, after deploying the HA, which worked. A week later, we lost the failover link. This caused the inability to deploy configuration changes to either FTD in the HA pair. I had to break the HA pair in order to deploy the latest config on the primary FTD, which means all config on the secondary HA pair was lost.

When the failover link fails, does FMC see both units as active and thereby making config deployment impossible?

I have attached the error message in this post as well

Someone kindly advise and assist.

Re: FTD HA - Unable to Deploy After Failover Link Broke

MHM Cisco World — Wed, 21 Jun 2023 11:09:38 GMT

dual brain issue, and since the mgmt interface also flapping during fail over then FMC see two FW with same mgmt interface.

Re: FTD HA - Unable to Deploy After Failover Link Broke

elijahosunbajo — Wed, 21 Jun 2023 11:18:18 GMT

Thanks, @MHM Cisco World for your response.

My worry is now that does this mean each time the failover link fails, the only way to be able to deploy is to break the HA pair and re-add the FTDs in HA when the failover link is repaired?

Re: FTD HA - Unable to Deploy After Failover Link Broke

MHM Cisco World — Wed, 21 Jun 2023 13:38:44 GMT

but Cisco FW HA is not depend only to failure link down to start failover process

it use Data interface IN and OUT to monitor mate FW before start process,
I think what you face is something relate to SW interconnect both FPR,
the FPR down the failure link and data interface that FPR use as monitoring interface.

Re: FTD HA - Unable to Deploy After Failover Link Broke

Aref Alsouqi — Wed, 21 Jun 2023 14:49:50 GMT

The FTD dedicated management ports will still be with different IP addresses regardless of the failover state.

Re: FTD HA - Unable to Deploy After Failover Link Broke

Aref Alsouqi — Wed, 21 Jun 2023 14:52:38 GMT

I think the reason why the FMC wouldn't be able to push the changes when the failover is broken is because it wouldn't be able to know to which active device the changes should be pushed. Did you check from the logs why the failover link got broken? if not I would try to find out the root cause of why the failover link gets broken and try to fix that issue. Also, what version of FMC and FTD are on?

Re: FTD HA - Unable to Deploy After Failover Link Broke

elijahosunbajo — Wed, 28 Jun 2023 06:02:13 GMT

Yes that's my thinking too. So the scenarios is that we have the firewalls at different locations and the link connecting them is a fiber.
There was a fiber break that disrupted the failover link.

Re: FTD HA - Unable to Deploy After Failover Link Broke

elijahosunbajo — Wed, 28 Jun 2023 06:04:45 GMT

Correct. However the problem is the failover link itself. The firewalls in HA pair are in separate locations connected by a fiber link.

Re: FTD HA - Unable to Deploy After Failover Link Broke

Aref Alsouqi — Wed, 28 Jun 2023 10:29:14 GMT

If you have multiple links between the two locations, you can configure a port channel for the HA links, in that case you will have some resiliency if a link goes down.

Re: FTD HA - Unable to Deploy After Failover Link Broke

MHM Cisco World — Wed, 28 Jun 2023 10:32:39 GMT

Cisco FW HA design not depend on Fail over Link only to detect mate down, it also use data interface INside and OUTside to send some heart beat to detect Mate down.
as I mention before I think fail over link and data link share same physical link when down all fail over and data interface is down.