I have two Firepower 2110 in HA (software 220.127.116.11 - with hotfix D applied). The HA is working, but some weird problems, that I encountered.
With HA, the FMC will give you critical errors("interfaces not receiving any traffic"), since the FMC health policy tries to monitor interfaces, but standby unit is not forwarding anything. I found a blog post, that suggested assigning two different health policies to HA members (one that monitors the interfaces and on that doesn't).
The problem is, that in FMC version 6.2.2, you cannot choose only one member in HA to apply the policy. You can choose both or none...
Same thing with FTD software updates. The official documentation says, that you should first upgrade the secondary member in HA, and after that is than, then the other member. In FMC 6.2.2 you cannot choose one member in HA to initiate the upgrade. You can choose both or none. So I had to choose both members and thankfully the script started upgrading the standby member first, but that was not documented anywhere.
Another thing was that I was able to log into 2100 with SSH, prior to HA config. After HA configuration, the SSH access to one of the members fails (active member). I'm able to connect, but none of the password work, that I used earlier. The strange thing is, that SSH access to standby unit is still working with the old password.
So it seems like HA config does something with internal admin accounts and does not sync it with members in HA.
Solved! Go to Solution.