Thank you kaisero for your valuable rresponse,

I am bit confused here.

I have 2 Firepower 4100 Appliance,

So how i will built HA for Firepower 4100

Also for adding ASA and Configuring HA for ASA.?

Just to clarify. Your 4100 chassis runs a so-called "logical device" which is basically a container running either standard ASA operating system or the new FTD (Firepower Thread Defense) code which includes ASA + Firepower features with some limitations (e.g. no anyconnect).

In case you are running the ASA image on your 4100 you will not be able to use firepower features. Its either unified image or only asa features.

Since you asked about ASA Active/Standby HA, you may find the failover configuration guide here.

In case you havent built the logical devices on your Chassis manager yet you may refer to the following configuration guide here.

p.s. if anything is unclear please be more specific, you are being very vague.

Hi Kaisero,

i am pretty new to FTD and FPR4120-BUN chassis.

I have to configure ASA and HA for these devices.

Since the FPR4120-BUN using FXOS for intitital configuration i bit confused to start. Then i just put one management IP and kept like that.

I attached the product specification .I think its standard ASA operating system. Because i can see anyconnect license also included in specification

If then how we will get cli and asdm for the ASA ?

Previously i configured many 5525-X ,555X etc including firepower services and fire sight management.It's all went smoothly.

Please advise

Your BOM definetly looks like an ASA installation on FP4100. You have to deploy ASA image from your 4100 Chassis using CLI/UI (I would suggest the UI).

Use the following quickstart guide to deploy ASA from the Chassis Manager UI.

Hi Kaisero,

Thank you,

So i have to deploy both the chassis to stand alone ASA and then configure Active/Standby HA as we are doing early same like typical ASA appliance.

Can you please explain about the clustering ? Clustering for Fpr 4120 chassis or ASA ?

what will be the best solution ?

Yes, ASA is deployed as a so called logical device from the chassis manager. 4100 can run one logical device, 9300 could run 3 logical devices (using the 3 blades).

Then you configure all your standard ASA features from the logical device (ASA), including failover or clustering.

Think of the FX-OS as an abstraction layer to map physical interfaces to your actual firewall system. This system is kind of confusing on 4100 since you can only run one ASA on 4100 but makes a lot of sense for 9300 which can run 3 firewalls on the chassis.

So for this deployment i will not get FMC and firepower services. Only ASA features i can use.

Can i use ASDM as well ?

You may use ASDM to manage ASA, but if you are running the ASA image on 4100 you will not be able to use firepower services.

The only way to use firepower on the 4100 is running the new FTD image which merges ASA and Firepower Services into one image. Keep in mind that there is no feature parity for as asa features yet (no Multiple Context Mode, Anyconnect, etc. in FTD)

Hi,

Anyconnect is our major requirement for this deployment, then we cannot use FTD image and firepower service.

There is no other way to work full fludge ASA(all features) with firepower services using 4100 chassis. ?

This mean we could have go with standard 5555-x Series with firepower services in it.

Correct, there is no other way to get firepower services. FTD or ASA only.
In case the 5555-X would have matched your performance requirements you could have gone 5555-X with Firepower Services.

AnyConnect should be added to FTD in ~Q2 2017 but tbh I think Anyconnect will be added at the end of 2017 due to some stability issue atm.

Thanks kaisero,

You clarified all my doubts.

Will let you know incase anything i need regards this.

cheers

Hi Kaisero,

I'm watching the Thread it's really wealth of information here. I have few questions to you, if you could help me with :

I know the FTD does not support yet but was hoping to bounce some question I had myself about clustering and multicontext on the asa/4100


Firepower 21/41xx with ASA image:
· How many “Logical Devices - ASA” supported?
· How many context per “Logical Devices - ASA” supported?
· Is “Logical Devices - ASA” +“Logical Devices - Firepower” supported?
· Are these “Logical Devices” fully independent?
· What are the limitation of “Logical Devices” comparing to standalone ASA?

Firepower 21/41xx Thread Defense image:
· How many thread defense “Logical Devices ” supported on top of 21XX and 41XX?
· Is there something similar to ASA multi-context mode in Thread Defense “Logical Devices”?
· Are these “Logical Devices” fully independent?
· What are the limitation of “Logical Devices” comparing to standalone Thread Defense appliance (ASA55XX)?

Regards,