Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
623
Views
0
Helpful
7
Replies

Adding HA to existing FTD primary

spfister336
Level 2
Level 2

‎05-12-2022 12:41 PM

We are converting an active/standby ASA pair to FTD. We decommissioned the old standby and set it up as the new FTD primary, managed through FMC. Once we tested that for a while, we have wiped the old ASA primary and have installed the same version of the FTD image on it (and brought FXOS to the same version too). It is registered to the FMC also, and we are ready to set up the HA pair. This doesn't wipe anything from the existing FTD primary, does it? It's in production use. I wanted to ask before trying it.

0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

‎05-12-2022 12:48 PM

@spfister336 no, during configuration, the primary unit's policies are synchronized to the secondary unit.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/high-availability.html

 

0 Helpful

spfister336
Level 2
Level 2
In response to Rob Ingram

‎05-12-2022 12:52 PM

OK, thank you.... we're trying this kind of late in the day and I didn't want to deal with any surprises.

0 Helpful

spfister336
Level 2
Level 2
In response to spfister336

‎05-12-2022 02:21 PM

Everything seemed to go OK with the HA setup, but I wasn't sure where to get the MAC addresses for the virtual MAC address step, so I haven't put anything in yet. Where do I get those?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to spfister336

‎05-12-2022 02:59 PM

You can add your own MAC as an example shown below :

 

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html

 

Note: some notes mentioned well to have, some have different, I have 2 different setups one with MAC (which cisco suggested the way I deployed) and one without any MAC configured, (done before we took over and test) both working as expected.

 

More information can be found in the link provided by other posts.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

spfister336
Level 2
Level 2

‎05-13-2022 06:32 AM

Do I just make up MAC addresses?

0 Helpful

SinghRaminder
Level 1
Level 1
In response to spfister336

‎05-13-2022 08:17 AM

You can as long as the format is good and are not being used in the Network already

I have seen people using the Same MAC address as the existing ASA on the FTD so there is no downtime with respect to ARP cache and mac address table entries

Thanks
Raminder
PS: If this answered your question, please don't forget to rate and select as validated answer
0 Helpful

Marius Gunnerud
VIP
VIP
In response to spfister336

‎05-13-2022 12:28 PM

You do not need to make up MAC addresses.  If you do not provide "user defined" MAC then the FTDs will generate their own.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card