topic Re: HA Pair on FTDv on subinterfaces in Network Security

HA Pair on FTDv on subinterfaces

s_SiD_s — Wed, 04 Feb 2026 12:09:24 GMT

Good day team!
We have 2 servers connected to each other with 2 patch-cords.
On vCenter admin configured 2 ports

Port14-VLAN-1111-1114
VLAN trunk range: 1111-1114
Virtual Machines (4) ----! 3 ASAv Primary and FTDV-1
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Port15-VLAN-1115-1118
VLAN trunk range: 1115-1118
Virtual Machines (4) ----! 3 ASAv- Secondary and FTDv-2

ASAv failover works perfect as for example one of them

interface GigabitEthernet0/3.1111
 description LAN Failover Interface
 vlan 1111
!
interface GigabitEthernet0/4.1115
 description STATE Failover Interface
 vlan 1115
!
failover interface ip LFO 192.168.1.1 255.255.255.252 standby 192.168.1.2
failover interface ip SFO 192.168.1.5 255.255.255.252 standby 192.168.1.6

So I configured the same on both FTDv-s, but when I start to configure HA, these port not shown up in drop down...

more to say, I recieved an alarm that subinterfaces not recieving any packets, so i remove Logicalname from subs, and alarm goes away. But still cannot see neither interfaces no subinterfaces...
May be FTDv\FMC does not support this kind of config?
If this kind of config is supported, please help to sort it out, i will be appreciated a lot.

attached screenshots shows config

Re: HA Pair on FTDv on subinterfaces

balaji.bandi — Wed, 04 Feb 2026 13:26:34 GMT

I am not sure sub-interface supported for failover and state link, as per my experience and deployment : (if new version has changed no idea, but happy to hear from other engineers).

Check the guidelines for the version. Here is the 7.4 code

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdv_gsg/threat-defense-virtual-74-gsg/m-ftdv-vmware-gsg.html

Re: HA Pair on FTDv on subinterfaces

Rob Ingram — Wed, 04 Feb 2026 13:30:51 GMT

@s_SiD_s as per the guides:-

Interface for the Failover Link

You can use an unused data interface (physical, or EtherChannel) as the failover link; however, you cannot specify an interface that is currently configured with a name. You also cannot use a subinterface with the exception of a subinterface defined on the chassis for multi-instance mode.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config-76/high-availability.html

Re: HA Pair on FTDv on subinterfaces

s_SiD_s — Wed, 04 Feb 2026 13:34:17 GMT

oh...I think I found the answer... 1 more patch-cord need to be placed between servers... no trunking supported

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config-76/high-availability.html

Interface for the Failover Link You can use an unused data interface (physical, or EtherChannel) as the failover link; however, you cannot specify an interface that is currently configured with a name. You also cannot use a subinterface with the exception of a subinterface defined on the chassis for multi-instance mode. The failover link interface is not configured as a normal networking interface; it exists for failover communication only. This interface can only be used for the failover link (and also for the state link). The Firewall Threat Defense does not support sharing interfaces between user data and the failover link. You also cannot use separate subinterfaces on the same parent for the failover link and for data (multi-instance chassis subinterfaces only). If you use a chassis subinterface for the failover link, then all subinterfaces on that parent, and the parent itself, are restricted for use as failover links.

Re: HA Pair on FTDv on subinterfaces

s_SiD_s — Wed, 04 Feb 2026 13:41:18 GMT

on the chassis - means hardware device, not virtual?

Re: HA Pair on FTDv on subinterfaces

Rob Ingram — Wed, 04 Feb 2026 13:50:34 GMT

@s_SiD_s yes, multi instance which it is referring to is only supported on 3100, 4100, 4200 and 9300 hardware.

Re: HA Pair on FTDv on subinterfaces

s_SiD_s — Wed, 04 Feb 2026 14:21:10 GMT

So, we need to go to DataCenter and install 2 more (or 1 will be enough) patch-cords between servers for FTDv-HA? >_<

Re: HA Pair on FTDv on subinterfaces

s_SiD_s — Wed, 04 Feb 2026 14:58:17 GMT

team! what about clustering? if subinterfaces not supported, can I make cluster?

Re: HA Pair on FTDv on subinterfaces

Rob Ingram — Wed, 04 Feb 2026 15:02:15 GMT

@s_SiD_s clustering is supported on virtual FTD in private cloud using Vmware or KVM as per the cisco documents https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config-76/device-ops-cluster-ftdv-private.html

Re: HA Pair on FTDv on subinterfaces

s_SiD_s — Fri, 06 Feb 2026 15:06:21 GMT

Thank you for link!
admin went to DC and connected another interfaces on servers to each other.
Another thing to consider...do we need to create a dummy vlan on vCenter that is not routing and assing it to intertfaces proposed for failover? Right now...there is VM Netwiork pointing nowhere....
so my HA not working in this case...

Re: HA Pair on FTDv on subinterfaces

Cristian Matei — Fri, 06 Feb 2026 15:45:30 GMT

Hi,

@s_SiD_s From technical point of view, as long as there is layer 2 connectivity between the two FTD's, the VLAN does not have to be dedicated. Practically speaking, to avoid potential VLAN noise from other hosts, always use a dedicated VLAN.

Also, ensure, if there's physical switches in the path, ensure to run RSTP and the ports connected to the FTD's are in STP EDGE mode, otherwise, any STP topology change for the VLAN will result in 30 seconds of communication downtime between FTD's. Obviously, to avoid split brain scenarios, ensure to use Standby IP's for all your layer 3 interfaces.

Thanks,

Cristian.

Re: HA Pair on FTDv on subinterfaces

s_SiD_s — Mon, 09 Feb 2026 13:26:28 GMT

I have done HA after ESXi admin created dummy vlan and assignet to intergface for LAN\STATE
HA raised smooth and nicely without any errors.
Now I am seeting up logging to Graloylog and noticed that there is mees up with time)
for example: admin setting show right time
logs on Graylog are not...

FMC shows right time

Re: HA Pair on FTDv on subinterfaces

Cristian Matei — Mon, 09 Feb 2026 19:07:48 GMT

Hi,

@s_SiD_s Not sure I exactly understand the problem. If you're speaking about the 3 hours difference, that because of timezone vs your logging configuration settings.

Thanks,

Cristian.