Hi Marvin,

Bringing up a little bit old subject here, but I find it relevant to my question.

My guess is nothing much has changed with FMC 6.0 and there is still no built-in HA for virtual FMC, but regarding vMotion I found the 5.4.1 deployment guide: http://www.cisco.com/c/en/us/td/docs/security/firesight/541/virtual-install-guide/FireSIGHT-Virtual-Installation-Guide.pdf 

Quote:

The following limitations exist when deploying virtual Defense Center or devices on VMware:

• vMotion is not supported.
• Cloning a virtual machine is not supported.
• Restoring a virtual machine with a snapshot is not supported.
• Restoring a backup is not supported

As my understanding goes vMotion is not supported as a solution. Can you please comment has this changed in 6.0? What would be the suggested way for some kind of a HA for FMC?

Thanks!

I have just come across this thread.

Is high availibility not supported within VM or VM FMC cannot manage two physical firewalls in VM mode?

cisco8887  

The original question was about HA of the FMC itself. that is not supported with VM FMC form factor.

An FMC can manage multiple physical firewalls up to the limit if its license. (They are licensed in 2- 10- and 25-unit tiers.)

many thanks so in a way unless one buys the hardware there is no HA with vmware FMC?

You're welcome.

That's correct. You should make sure to take regular backups and have the backup location be remote (i.e. to an ftp, scp or smb destination).

Best practice is to schedule weekly backup jobs (along with rule, VDB and geolocation updates).

would it be possible to manage them using two FMC or no?

I guess answer is no but curios as that will mean unless you have Hardware FMC you can't really have any FMC HA/failover

No - you cannot manage a given sensor with more than one FMC.

In my 30+ years of IT experience I have never seen an application level clustering or failover system that was more benefit than trouble. (I'm not talking about scalsde-out web type applications with application delivery controllers fronting them.)

It's my general assertion that a well-managed single application instance is more highly available and reliable when you're talking about anything that's designed as a monolithic application.

Rather than lose cycles worrying over FMC's HA or lack thereof I would counsel spending that time on operational processes and  remediation of identified security issues.

I have a similar question.  Trying to upgrade from 5.4.1 to 6.1.  I understand that I need to go 5.4.1 > 6.0.0 > 6.0.1 > 6.1 which supports HA.  My environment is 2x5516X Active/Standby with the FMC virtualized and the two sensors in ASAs.  As I understand I need to break HA to upgrade.  The guides I'm following either say go into FMC chose Device Management > Devices then High Availability to see interfaces.  I only have two ungrouped sensors, no tab for HA.  Furthermore, I've looked at the cli the sensors to run command 'configure failover' but the command isn't supported.  It's my understanding that these sensors are in an HA setup but I cannot seem to find to break it.  I've removed the sensors in Device Management in FMC and tried upgrading but it fails every time.  Do I need to break HA of the actual ASA?  

ASA Firepower sensors aren't in an HA pair even though the "parent" ASAs are. The sensors have no awareness of each other and essentially operate as independent units.

We typically group them into a device group on the FMC to enable a single policy push to multiple sensors.

FMC HA is for FMC itself. That construct is completely distinct from managed device HA.

But in the configuration guide , they mentioned that we cannot back-up an FMC virtual machine. We can only back-up an FMC appliance. is it right ?

How about in new version 6.2 ? virtual firesight, can HA ?

No it cannot.

Establishing Firepower Management Center High Availability

Source:

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/firepower_management_center_high_availability.html?bookSearch=true