cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5415
Views
6
Helpful
7
Replies

Cisco Defense Orchestrator (CDO) Onboarding HA Pair of FTD Devices - Needs help

Does anyone have a tested and successful procedure to onboard an HA pair of FTD devices (already set as active/standby via FDM)?

I've been in a pilot program of CDO for several months (the first few spent fruitlessly gaining access to CDO).

I've been testing a scenario where I want to onboard an already configured HA pair of FTD devices.

 

I have tried quite a number of different iterations of methods, none of which have been successful, least of which is Cisco's own procedure (https://docs.defenseorchestrator.com/Configuration_Guides/Onboard_Devices_and_Services/0021_Onboard_a_Firepower_Threat_Defense_Device_High_Availability_Pair). In fact Cisco's procedure for this doesn't even begin to work.

 

Using the procedure below, is the closest to onboarding the pair that I have gotten, but it still fails:

 

1. De-Register both devices (license registration or Eval MUST match!)
2. Disable any other Smart-licenses.
NOTE! If you unregister, you will see a Deployment change ready itself. Don't bother deploying this change. CDO will fix this later. 
3. On both devices, change the Management Interface IP to one that is unique to the device, but can gain access to the Internet. The Token process will use this IP for differentiation.
4. Failover to the Secondary device.
5. Add the Secondary device in the CDO portal with Use Registration Key (the other method will not work). Click Next.
6. Give it a unique name. Click Next.
7. Uncheck "Immediately perform security updates....". Click Next.
8. Copy the Registration key.
9. Go back to the FDM. Verify it is Unregistered with Smart Licensing. 
10. Go into Cloud Services and click "Get Started" in the Cisco Defense Orchestrator box.
11. Paste the Registration key and select your region (must match the region on both units!). Click Register.
12. Click Accept (if you accept).
13. Go back to CDO and click Next.
14. If you created a Smart License Token in Cisco.com's Smart License portal (your portal), then, you can paste it here. I recommend doing this, and not skipping. Click Next.
15. Click "Go to devices page" to see the result. Let the device FULLY sync before proceeding.
16. Click the Refresh botton to update, and do NOT attempt any local FDM management or changes while this takes place.
17. Once synced, you should highlight or check the box next to the new device. If the Failover (HA) was configured correctly, CDO should recognize there's a "mate" device. It also recognizes the roles.
18. Failover to the Primary device. Verify it's Unregistered.
19. Highlight or check the previously added Secondary device in CDO. Click "Onboard Device" in the right-hand column. 
20. Give it a unique name. Click Next.
21. Uncheck "Immediately perform security updates....". Click Next.
22. Copy the Registration key.
23. Go back to the FDM. Verify it is Unregistered with Smart Licensing. 
24. Go into Cloud Services and click "Get Started" in the Cisco Defense Orchestrator box.
25. Paste the Registration key and select your region. Click Register.
26. Click Accept (if you accept).
27. Go back to CDO and click Next.
28. If you created a Smart License Token in Cisco.com's Smart License portal (your portal), then, you can paste it here. I recommend doing this, and not skipping. Click Next.
29. Click "Go to devices page" to see the result. Let the device FULLY sync before proceeding.
30. Click the Refresh botton to update, and do NOT attempt any local FDM management or changes while this takes place.
NOTE: You may see your device listed as "Unprovisioned". Give it a minute.
 
NOTE! CDO will likely fail to recognize the current HA active/standby state. The following procedure addresses this.
TIP: Be sure to watch the View Jobs status on the bottom-right. 
1. Highlight the Primary/Active device in CDO and click High-Availability in the right-hand column. The status will show "Device Busy" for some time. Please be patient.
2. Once the Device Busy goes away, go back to the previous screen. You may now see a Read Error. Click “Read Configuration” on that device.
 

The main issue is that CDO can't correctly determine the active/standby state of the FTD HA pair. In fact, it seems to indicate the devices are Unreachable, shows Read Errors, and any attempt to Reconnect, Read Configuration, or investigate the active/standby state results in inconsistent results, none of which FDM shows. FDM shows the devices have been stable, but CDO seems to believe the active/standby state is swapping.

RFC 1925
1 Accepted Solution