topic Re: FTD H/A split brain issues in Network Security

FTD H/A split brain issues

Chess Norris — Thu, 22 May 2025 07:34:05 GMT

Hello,

A customer has around 20 H/A pairs of FTD 1010's that are managed by a cdFMC. Recently I saw some alerts in the FMC saying "High availability is in split brain"

When I Iogin to the FTD's and do a "show failover state", both FTD's says communication errors and they are both active. However, the failover interface is up on both firewalls and there is no switch between. It's only a cable directly connected on interface 1/8 between the two FTD's.

Could it still be a cable issue even though both the status and the protocol is up when checking with "show interface IP brief" or could it be something else?

When trying to do a deploy, I get the following error when deploying "Deployment is not possible for this HA pair as both units are active. Correct the failover link else try force breaking the HA pair."

Thanks

/Chess

Re: FTD H/A split brain issues

ahollifield — Thu, 22 May 2025 12:13:26 GMT

It could be, can you ping across that link? Some other configuration issue? What version?

Re: FTD H/A split brain issues

Chess Norris — Fri, 23 May 2025 08:02:46 GMT

I discovered something really strange on the primary FTD. We are using physical Ethernet1/1 and 1/2 as a port-channel. When doing a "show ip int brief", It says the port-channel is up but the physical interfaces are both down and unassociated. Never seen this before. How can the port-channel be upp if the physical interfaces are down?

firepower# show int ip brie
Interface IP-Address OK? Method Status Protocol
Internal-Data0/0 unassigned YES unset up up
Port-channel1 unassigned YES unset up up

Ethernet1/1 unassigned unassociated unset admin down down
Ethernet1/2 unassigned unassociated unset admin down down

/Chess

Re: FTD H/A split brain issues

Tshepo — Fri, 23 May 2025 09:06:41 GMT

Hi, did you end up resolving this ?

If so, how ?

Re: FTD H/A split brain issues

Chess Norris — Fri, 23 May 2025 13:58:57 GMT

TAC belive we are hitting the following defect https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh17965

The workaround was to delete and re-create the port-channel, but that's need to be done in FXOS. Normally we can only do configuration changes in FXOS on the bigger chassi firewalls (4100/9300) Smaller firewalls let us access FXOS, but we cannot do any changes to the configuration. However, TAC had a backdoor making it possible to commit changes in FXOS.

/Chess

Re: FTD H/A split brain issues

Network Diver — Mon, 26 May 2025 04:46:12 GMT

Frightning ... LACP port-channeling must be a pretty new and experimental technology!