11-11-2023 02:16 AM
Hello,
I'm currently running a Cisco Firepower Threat Defense (FTD) and Firepower Management Center (FMC) setup with version 7.0.4. My firewall, specifically the FTD model, is the FPR-2140, configured in High Availability (HA) mode. Both the Intrusion Prevention System (IPS) and Security Intelligence (SI) are enabled.
The issue I'm facing arises when a specific volume of traffic passes through the FPR-2140. At that point, the active FTD loses all connections, disrupting the network. Interestingly, when I switch to the standby firewall, the network stabilizes again, indicating an issue with the active unit. Notably, both the standby and active firewalls exhibit high CPU usage, hovering around 50 percent.
I'm seeking guidance on troubleshooting and resolving this issue. Any insights, recommendations, or similar experiences would be greatly appreciated. I'm particularly interested in understanding potential causes for the connection loss under high traffic conditions and how to mitigate this issue effectively within the HA setup for the FPR-2140 model.
Thank you in advance for any assistance or advice you can provide!
11-11-2023 02:22 AM
> show high-availability config
can you check the conn exchange between two FW
Thanks A Lot
MHM
11-12-2023 04:17 AM
I would not consider a CPU of 50% high with regard to it being the cause of traffic drops. If CPU would be considered in traffic drop I would expect it to be above 90% and closer to 100%. That the secondary unit also has CPU around 50% is interesting as there should not be any traffic flowing through that device. Perhaps there is a misconfigured device on the network sending traffic to both devices or polling both devices?
when you say the active device loses connections, would that mean that regardless of which FTD is active (primary or standby) when the traffic flow in question is initiated all connection are lost? Also, what type of connection is this?
I have seen several instances where there has been traffic loss due to "Elephant flow" conditions, but that is limited to that particular traffic flow and not all connections.
Have you enabled application bypass and/or intelligent application bypass? If not, you might want to look into enabling these. Keep in mind that in newer software releases these are deprecated and replaced by Elephant flow detection configuration.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide