Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2283
Views
0
Helpful
2
Replies

Firepower 2100 HA problems

Go to solution
Hu371
Level 1
Level 1

‎11-16-2017 12:48 AM - edited ‎02-21-2020 06:45 AM

I have two Firepower 2110 in HA (software 6.2.2.1 - with hotfix D applied). The HA is working, but some weird problems, that I encountered. 

 

With HA, the FMC will give you critical errors("interfaces not receiving any traffic"), since the FMC health policy tries to monitor interfaces, but standby unit is not forwarding anything. I found a blog post, that suggested assigning two different health policies to HA members (one that monitors the interfaces and on that doesn't).

 

The problem is, that in FMC version 6.2.2, you cannot choose only one member in HA to apply the policy. You can choose both or none...

 

Same thing with FTD software updates. The official documentation says, that you should first upgrade the secondary member in HA, and after that is than, then the other member. In FMC 6.2.2 you cannot choose one member in HA to initiate the upgrade. You can choose both or none. So I had to choose both members and thankfully the script started upgrading the standby member first, but that was not documented anywhere.

 

Another thing was that I was able to log into 2100 with SSH, prior to HA config. After HA configuration, the SSH access to one of the members fails (active member). I'm able to connect, but none of the password work, that I used earlier. The strange thing is, that SSH access to standby unit is still working with the old password.  

So it seems like HA config does something with internal admin accounts and does not sync it with members in HA.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mikael.lahtela
Level 4
Level 4

‎11-16-2017 07:56 AM

Hi,

You can use Health>Black list to disable interface monitoring on the standby unit.
If the system fails, you will get an interface error on the non-blacklisted unit.
The update is scripted to always begin with the standby unit, or you could disable HA but I have never bothered with that or tested it.
I had the same problem with SSH, reload the device solved the issue. (probably a bug).

br, Micke

View solution in original post

0 Helpful
2 Replies 2

Go to solution
mikael.lahtela
Level 4
Level 4

‎11-16-2017 07:56 AM

Hi,

You can use Health>Black list to disable interface monitoring on the standby unit.
If the system fails, you will get an interface error on the non-blacklisted unit.
The update is scripted to always begin with the standby unit, or you could disable HA but I have never bothered with that or tested it.
I had the same problem with SSH, reload the device solved the issue. (probably a bug).

br, Micke
0 Helpful

Go to solution
Hu371
Level 1
Level 1
In response to mikael.lahtela

‎11-21-2017 07:18 AM - edited ‎11-21-2017 07:18 AM

I could log into the active unit console with the same password, so I reset the password from there and it worked,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card