Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2852
Views
0
Helpful
8
Replies

ASA High Availability with Firepower and FMC

bits_of_matt
Level 1
Level 1

‎12-05-2019 06:51 AM - edited ‎02-21-2020 09:44 AM

I have two ASA 5525X in a High Availability (Active/Standby) configuration both running Firepower services licensed on both for IPS, AMP, & URL. I'm managing both ASA FTD's through a virtual FMC.

 

My question is: Do I also need to configure the High Availability option in the FMC Device Management for the two devices? 

 

I have both ASA FTD devices in the same Group in the FMC under Device Management, but I'm unable to add a High Availability Par when I click on Add -> Add High Availability Pair. I get the box that appears to enter the HA Pair Name, Device Type, Primary Peer, Secondary Peer, but after I select one of the two options under Device Type (Firepower Threat Defense or Firepower)  The Primary Peer field displays a Red box around that field with an ! symbol that states "There are not enough devices to form a high availability pair" 

 

I'm wondering if I even need to configure this in the FMC? I know on the ASA side of the HA configuration the Primary ASA syncs its running config to the Secondary. Its my understanding that the Firepower config (Policies etc.) are not synced across the two devices, but if I apply the same Firepower Policies to both devices in the FMC then everything should be the same and which ever device is Active would be the one that is doing the FTD inspection and processing. I wanted to just confirm if I'm understanding this correctly. 

 

Thanks

Matt 

 

 

Labels:
0 Helpful
8 Replies 8

nspasov
Cisco Employee
Cisco Employee

‎12-05-2019 08:53 AM

Hi Matt-

Are you running the unified image (FTD-Firepower Threat Defense) or are you running in legacy mode (ASA with FirePOWER services)?

Thank you for rating helpful posts!

0 Helpful

bits_of_matt
Level 1
Level 1
In response to nspasov

‎12-05-2019 10:24 AM

We are running in the legacy mode (ASA with FirePOWER services)
0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to bits_of_matt

‎12-05-2019 11:34 PM

Ah ok. In that case your H/A is setup in the ASA code, and the FirePOWER sensors are running independently and do not share any failover/state information. If you want to setup HA in the FMC then you will have to run the unified image (FTD). 

I hope this helps!

Thank you for rating helpful posts!

0 Helpful

bits_of_matt
Level 1
Level 1
In response to nspasov

‎12-06-2019 07:52 AM

That’s what I was looking for, thanks for clarifying this for me. One last question if you don’t mind, I just wanted to verify this if I may? With the HA configured in the ASA code (Active/Standby) how I currently have it setup, my Standby unit shows a critical Health alert in the FMC under Health alerts that says “Interface DataPlaneInterface0 is not receiving any packets” I believe this is normal as this unit is currently in the standby state and if that is correct, then is there a way to disable this alert notification? Or is it recommended to just ignore it? Thanks again for your much appreciated help!
0 Helpful

Sheraz.Salim
VIP
VIP
In response to bits_of_matt

‎12-06-2019 02:04 PM - edited ‎12-06-2019 02:15 PM

with active standby by ASA configured with firepower sensor should not show you "Interface DataPlaneInterface0 is not receiving any packets” it must be in normal state showing up in your FMC. you need to console to sfr and check the setting.

 

on standby ASA log in it and give command "session sfr console"  press enter and give login and password (default is admin Admin123). once in give a command "show network"

!

ASA# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

SFR login: admin
Password: Admin123
Last login: Sun Oct 13 18:11:27 UTC 2019 on ttyS1

Copyright 2004-2017, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.2.0 (build 42)
Cisco ASA5506 v6.2.0 (bud 362)

>
^
configure Change to Configuration mode
exit Exit this CLI session
expert Invoke a shell
history Display the current session's command line history
logout Logout of the current CLI session
show Change to Show Mode
system Change to System Mode
configure Change to Configuration mode
exit Exit this CLI session
expert Invoke a shell
history Display the current session's command line history
logout Logout of the current CLI session
show Change to Show Mode
system Change to System Mode

> show network

network Show configuration of management interface
network-static-routes Show static routes for management interfaces

> show network

> show network
===============[ System Information ]===============
Hostname : SFR
Domains : cdyz5.ddns.net
DNS Servers : 192.168.100.72
Management port : 8305
IPv4 Default route
Gateway : 192.168.100.254

======================[ eth0 ]======================
State : Enabled
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : 28:6F:7F:D1:3A:32
--------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 192.168.100.36
Netmask : 255.255.255.0
Broadcast : 192.168.100.255
----------------------[ IPv6 ]----------------------
Configuration : Disabled

===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled

 

> system support sftunnel-status

SFTUNNEL Start Time: Thu Dec 5 07:41:35 2019

Both IPv4 and IPv6 connectivity is supported
Broadcast count = 0
Reserved SSL connections: 0
Management Interfaces: 1
eth0 (control events) 192.168.100.36,

***********************

**RUN STATUS****firepower.cdyz5.ddns.net*************
Connected: Yes
SSL Verification status: ok
Registration: Completed.
Connection to pr '192.168.100.211' never happened
Connection to peer '192.168.100.211' Attempted at Fri Dec 6 22:12:55 20
19


***********************

**RPC STATUS****firepower.cdyz5.ddns.net*************
Caught Simple Exception: RPC Request failedCheck routes:

also you can ping from the sensor to FMC

> system support ping x.x.x.x

 

please do not forget to rate.
0 Helpful

bits_of_matt
Level 1
Level 1
In response to Sheraz.Salim

‎12-10-2019 06:52 AM

I've ran the Show Network command in the SFR Console of the Standby ASA and everything looks normal.

 

======================[ eth0 ]======================
State : Enabled
Link : Up
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : 2C:33:11:2E:83:6E

 

I'm still leaning toward this being normal behavior per the points listed below, but I would like to confirm this to be sure. 

1. Both ASA's are configured in a Legacy configuration (Running ASA code with FirePower Services) with HA (Active/Standby) configured on the ASA side of the code.

 

2. I haven't tested this theory yet, but  If the Standby ASA switched to the Active state then I would assume Eth0 on that new Active unit would then start receiving "DataPlane" packets and the original (Primary/Active) ASA that switched to the Standby state would start displaying the same "Health" status in the FMC of "Interface DataPlaneInterface0 is not receiving any packets".  

 

Preview file
21 KB
0 Helpful

Sheraz.Salim
VIP
VIP
In response to bits_of_matt

‎12-10-2019 11:49 AM

if both or one of the ASA and the FMC shows that there is no traffic or no data to show, it sounds like the traffic is not actually getting to the module. Can you check on your policy configuration to make sure that the proper traffic is being redirected? Also, can you confirm that the module is up and functioning properly?

You can as well clear the service-policy counters and check if the policy for the module redirection increases in traffic, and also reload the module if you see no response at all (please note that reloading the modules can cause you a failover if the modules are currently being monitored by failover).

please do not forget to rate.
0 Helpful

bits_of_matt
Level 1
Level 1
In response to Sheraz.Salim

‎12-11-2019 05:56 AM

I've cleared the service-policy counters on both (Primary & Standby ASA's) You can see from the output below that the packet input & output is incrementing up from the # show service-policy global sfr on the Primary (Active ASA). You can also see from that command that the SFR Card Status shows as UP. The status also shows as UP from the command # show module sfr details and under the SFR Console > show network 

 

Primary (Active ASA)

 

# show service-policy global sfr

 

Global policy:

  Service-policy: global_policy

    Class-map: firepower

      SFR: card status Up, mode fail-open

        packet input 321343, packet output 321349, drop 0, reset-drop 0

 

 

# show service-policy global sfr

 

Global policy:

  Service-policy: global_policy

    Class-map: firepower

      SFR: card status Up, mode fail-open

        packet input 448296, packet output 448305, drop 0, reset-drop 0

 

 

# show module sfr details

Getting details from the Service Module, please wait...

 

Card Type:          FirePOWER Services Software Module

Model:              ASA5525

Hardware version:   N/A

Serial Number:  

Firmware version:   N/A

Software version:   6.5.0.1-35

MAC Address Range: 

App. name:          ASA FirePOWER

App. Status:        Up

App. Status Desc:   Normal Operation

App. version:       6.5.0.1-35

Data Plane Status:  Up

Console session:    Ready

Status:             Up

DC addr:            192.x.x.x

Mgmt IP addr:       192.x.x.x

Mgmt Network mask:  255.x.x.x

Mgmt Gateway:       192.x.x.x

Mgmt web ports:    

Mgmt TLS enabled:   true

ghblp-corp/pri/act#

 

SFR Console

> show network

===============[ System Information ]===============

Hostname                  : FTD-01

Domains                   : domain.local

DNS Servers               : 10.x.x.x

                            10.x.x.x

Management port           :

IPv4 Default route

  Gateway                 : 192.x.x.x

 

======================[ eth0 ]======================

State                     : Enabled

Link                      : Up

Channels                  : Management & Events

Mode                      : Non-Autonegotiation

MDI/MDIX                  : Auto/MDIX

MTU                       : 1500

MAC Address               : 

----------------------[ IPv4 ]----------------------

Configuration             : Manual

Address                   : 192.x.x.x

Netmask                   : 255.x.x.x

Broadcast                 : 192.x.x.x

----------------------[ IPv6 ]----------------------

Configuration             : Disabled

 

===============[ Proxy Information ]================

State                     : Disabled

Authentication            : Disabled

 

 

 

Secondary (Standby ASA)

 

# show service-policy global sfr

 

Global policy:

  Service-policy: global_policy

    Class-map: firepower

      SFR: card status Up, mode fail-open

        packet input 0, packet output 0, drop 0, reset-drop 0

 

 

# show service-policy global sfr

 

Global policy:

  Service-policy: global_policy

    Class-map: firepower

      SFR: card status Up, mode fail-open

        packet input 0, packet output 0, drop 0, reset-drop 0

 

 

# show module sfr details

Getting details from the Service Module, please wait...

 

Card Type:          FirePOWER Services Software Module

Model:              ASA5525

Hardware version:   N/A

Serial Number:     

Firmware version:   N/A

Software version:   6.5.0.1-35

MAC Address Range: 

App. name:          ASA FirePOWER

App. Status:        Up

App. Status Desc:   Normal Operation

App. version:       6.5.0.1-35

Data Plane Status:  Up

Console session:    Ready

Status:             Up

DC addr:            192.x.x.x

Mgmt IP addr:       192.x.x.x

Mgmt Network mask:  255.x.x.x

Mgmt Gateway:       192.x.x.x

Mgmt web ports:    

Mgmt TLS enabled:   true

 

 

SFR Console

> show network

===============[ System Information ]===============

Hostname                  : FTD-02

Domains                   : domain.local

DNS Servers               : 10.x.x.x

                            10.x.x.x

Management port           :

IPv4 Default route

  Gateway                 : 192.x.x.x

 

======================[ eth0 ]======================

State                     : Enabled

Link                      : Up

Channels                  : Management & Events

Mode                      : Non-Autonegotiation

MDI/MDIX                  : Auto/MDIX

MTU                       : 1500

MAC Address               :

----------------------[ IPv4 ]----------------------

Configuration             : Manual

Address                   : 192.x.x.x

Netmask                   : 255.x.x.x

Broadcast                 : 192.x.x.x

----------------------[ IPv6 ]----------------------

Configuration             : Disabled

 

===============[ Proxy Information ]================

State                     : Disabled

Authentication            : Disabled

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card