cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1356
Views
0
Helpful
2
Replies
Beginner

Firepower 2100 HA problems

I have two Firepower 2110 in HA (software 6.2.2.1 - with hotfix D applied). The HA is working, but some weird problems, that I encountered. 

 

With HA, the FMC will give you critical errors("interfaces not receiving any traffic"), since the FMC health policy tries to monitor interfaces, but standby unit is not forwarding anything. I found a blog post, that suggested assigning two different health policies to HA members (one that monitors the interfaces and on that doesn't).

 

The problem is, that in FMC version 6.2.2, you cannot choose only one member in HA to apply the policy. You can choose both or none...

 

Same thing with FTD software updates. The official documentation says, that you should first upgrade the secondary member in HA, and after that is than, then the other member. In FMC 6.2.2 you cannot choose one member in HA to initiate the upgrade. You can choose both or none. So I had to choose both members and thankfully the script started upgrading the standby member first, but that was not documented anywhere.

 

Another thing was that I was able to log into 2100 with SSH, prior to HA config. After HA configuration, the SSH access to one of the members fails (active member). I'm able to connect, but none of the password work, that I used earlier. The strange thing is, that SSH access to standby unit is still working with the old password.  

So it seems like HA config does something with internal admin accounts and does not sync it with members in HA.

1 ACCEPTED SOLUTION

Accepted Solutions
Enthusiast

Re: Firepower 2100 HA problems

Hi,

You can use Health>Black list to disable interface monitoring on the standby unit.
If the system fails, you will get an interface error on the non-blacklisted unit.
The update is scripted to always begin with the standby unit, or you could disable HA but I have never bothered with that or tested it.
I had the same problem with SSH, reload the device solved the issue. (probably a bug).

br, Micke

View solution in original post

2 REPLIES 2
Enthusiast

Re: Firepower 2100 HA problems

Hi,

You can use Health>Black list to disable interface monitoring on the standby unit.
If the system fails, you will get an interface error on the non-blacklisted unit.
The update is scripted to always begin with the standby unit, or you could disable HA but I have never bothered with that or tested it.
I had the same problem with SSH, reload the device solved the issue. (probably a bug).

br, Micke

View solution in original post

Beginner

Re: Firepower 2100 HA problems

I could log into the active unit console with the same password, so I reset the password from there and it worked,