Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
670
Views
1
Helpful
2
Replies

Cisco FPR-2140 FTD HA Setup - Connection Loss with High Traffic Volume

JohnJudi
Level 1
Level 1

‎11-11-2023 02:16 AM

Hello,

I'm currently running a Cisco Firepower Threat Defense (FTD) and Firepower Management Center (FMC) setup with version 7.0.4. My firewall, specifically the FTD model, is the FPR-2140, configured in High Availability (HA) mode. Both the Intrusion Prevention System (IPS) and Security Intelligence (SI) are enabled.

The issue I'm facing arises when a specific volume of traffic passes through the FPR-2140. At that point, the active FTD loses all connections, disrupting the network. Interestingly, when I switch to the standby firewall, the network stabilizes again, indicating an issue with the active unit. Notably, both the standby and active firewalls exhibit high CPU usage, hovering around 50 percent.

I'm seeking guidance on troubleshooting and resolving this issue. Any insights, recommendations, or similar experiences would be greatly appreciated. I'm particularly interested in understanding potential causes for the connection loss under high traffic conditions and how to mitigate this issue effectively within the HA setup for the FPR-2140 model.

Thank you in advance for any assistance or advice you can provide!

1 person had this problem
2 Replies 2

MHM Cisco World
VIP
VIP

‎11-11-2023 02:22 AM 

> show high-availability config

can you check the conn exchange between two FW

Thanks A Lot
MHM 

0 Helpful

Marius Gunnerud
VIP
VIP

‎11-12-2023 04:17 AM

I would not consider a CPU of 50% high with regard to it being the cause of traffic drops.  If CPU would be considered in traffic drop I would expect it to be above 90% and closer to 100%.  That the secondary unit also has CPU around 50% is interesting as there should not be any traffic flowing through that device.  Perhaps there is a misconfigured device on the network sending traffic to both devices or polling both devices?

when you say the active device loses connections, would that mean that regardless of which FTD is active (primary or standby) when the traffic flow in question is initiated all connection are lost?  Also, what type of connection is this?

I have seen several instances where there has been traffic loss due to "Elephant flow" conditions, but that is limited to that particular traffic flow and not all connections.

Have you enabled application bypass and/or intelligent application bypass?  If not, you might want to look into enabling these.  Keep in mind that in newer software releases these are deprecated and replaced by Elephant flow detection configuration.

  • How does the memory usage of the devices look when the issue is occurring?
  • when the issue is happening issue the command "show process cpu-usage non-zero sorted" to get a better idea if there is a specific process using up abnormal amount of CPU.
  • check the output of show conn during the issue to see if there are abnormal amounts of connections at that time (remember to issue terminal pager 24 first as by default the FTD will output all connections at once and this can take some time to complete)
  • Are you able to ping the FTD when the issue is happening?
  • Do you lose mgmt access to the FTD when it is happening?
--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card