https://community.cisco.com/t5/network-security/ftd-failover-vip-and-some-basic-qs-on-ftd/m-p/5002886#M1108272 <P>Hi Ramakrishnan, as already mentioned by <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;and&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1065752">@MHM Cisco World</a>, there is no concept of floating IP address when you configure HA on the ASA/FTDs. The HA concept on the ASA/FTDs is different than what you would do with HSRP and I think Juniper devices.</P> <P>With HA on the ASA/FTDs when the active device goes down, its interfaces IP addresses and their MAC addresses will be moved to the secondary device which will become the primary. From the network endpoints perspective nothing would change because the secondary device will now have the same IP addresses and same MAC addresses, so no ARP updates are required.</P> <P>Regarding managing the FTD in case the FMC is down, that is a bit tricky. Because even if you can access the FTD via SSH, you won't be able to configure the FTD with anything but using the little set of commands available. For example, say you want to remove an access list entry, changing an IP, add a security rule, etc, many of those tasks won't be possible, and the only way to configure or interact with them would be through the FMC.</P> Mon, 22 Jan 2024 22:29:02 GMT Aref Alsouqi 2024-01-22T22:29:02Z https://community.cisco.com/t5/network-security/ftd-failover-vip-and-some-basic-qs-on-ftd/m-p/5002818#M1108263 <P>Dear Folks,&nbsp;</P><P>After quite long time I am seeking some help from Cisco community <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> I have few Qs on FTD &amp; FMC</P><P>1. In Cisco, there is two types of HA[except Cluster] A/A and A/S in both cases there is no concept of VIP/floating IPs? Instead We suppose to configure IP address on each A and P device with an IP, that IP address get exchange during FO? Is that correct?</P><P>2. If we managing FTD from FMC, in the even of FMC failure how do we manage FTD, FTD will be accessible through SSH/FTDM?&nbsp; IN general If I remember correctly FTD will not allow SSH by default?</P><P>&nbsp;</P><P>Regards,</P><P><STRONG>Ram</STRONG></P> Mon, 22 Jan 2024 19:46:58 GMT https://community.cisco.com/t5/network-security/ftd-failover-vip-and-some-basic-qs-on-ftd/m-p/5002818#M1108263 Ramakrishnan V 2024-01-22T19:46:58Z https://community.cisco.com/t5/network-security/ftd-failover-vip-and-some-basic-qs-on-ftd/m-p/5002822#M1108264 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/290774">@Ramakrishnan V</a> correct, there is no VIP - each FTD has it's own IP address and the IP address is swapped on failover. So the primary IP address is still the same regardless of which FTD is active.</P> <P>An FTD managed by the FMC is manageable via SSH, but you still need to deploy policies via FMC.</P> Mon, 22 Jan 2024 19:50:47 GMT https://community.cisco.com/t5/network-security/ftd-failover-vip-and-some-basic-qs-on-ftd/m-p/5002822#M1108264 Rob Ingram 2024-01-22T19:50:47Z https://community.cisco.com/t5/network-security/ftd-failover-vip-and-some-basic-qs-on-ftd/m-p/5002833#M1108267 <P><A href="https://rayka-co.com/lesson/cisco-ftd-high-availability/" target="_blank">https://rayka-co.com/lesson/cisco-ftd-high-availability/</A></P> <P>we use management interface to register FTD to FMC&nbsp;<BR />and there is no VIP, the host will use the active IP as GW.<BR />MHM</P> Mon, 22 Jan 2024 20:14:41 GMT https://community.cisco.com/t5/network-security/ftd-failover-vip-and-some-basic-qs-on-ftd/m-p/5002833#M1108267 MHM Cisco World 2024-01-22T20:14:41Z https://community.cisco.com/t5/network-security/ftd-failover-vip-and-some-basic-qs-on-ftd/m-p/5002886#M1108272 <P>Hi Ramakrishnan, as already mentioned by <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;and&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1065752">@MHM Cisco World</a>, there is no concept of floating IP address when you configure HA on the ASA/FTDs. The HA concept on the ASA/FTDs is different than what you would do with HSRP and I think Juniper devices.</P> <P>With HA on the ASA/FTDs when the active device goes down, its interfaces IP addresses and their MAC addresses will be moved to the secondary device which will become the primary. From the network endpoints perspective nothing would change because the secondary device will now have the same IP addresses and same MAC addresses, so no ARP updates are required.</P> <P>Regarding managing the FTD in case the FMC is down, that is a bit tricky. Because even if you can access the FTD via SSH, you won't be able to configure the FTD with anything but using the little set of commands available. For example, say you want to remove an access list entry, changing an IP, add a security rule, etc, many of those tasks won't be possible, and the only way to configure or interact with them would be through the FMC.</P> Mon, 22 Jan 2024 22:29:02 GMT https://community.cisco.com/t5/network-security/ftd-failover-vip-and-some-basic-qs-on-ftd/m-p/5002886#M1108272 Aref Alsouqi 2024-01-22T22:29:02Z https://community.cisco.com/t5/network-security/ftd-failover-vip-and-some-basic-qs-on-ftd/m-p/5003021#M1108280 <P>Thank you so very much&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/284594">@Aref Alsouqi</a>&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1065752">@MHM Cisco World</a>&nbsp;</P> Tue, 23 Jan 2024 05:10:42 GMT https://community.cisco.com/t5/network-security/ftd-failover-vip-and-some-basic-qs-on-ftd/m-p/5003021#M1108280 Ramakrishnan V 2024-01-23T05:10:42Z