Cisco FTD 1140 HA Pair failover configuration to single ISP dual link.

moon_blue69 · ‎11-20-2024

I have a question about the HA failover setup of the FTDs. We had an incident where the upstream link to the ISP was lost (crossed in the attached image, please note the physical link was up), at the time the secondary unit was the active one. Had it failed over automatically to the primary unit we would have had minimal disruption as path existed through the primary unit which was the standby node. Is there a way we can configure the FTD failover based on the status of the uplink to the ISP?

Both links to the ISP have the same gateway. What we are trying to achieve is, if one unit can’t reach the gateway/upstream it should failover to the standby unit.

Thank you all in advance

MHM Cisco World · ‎11-20-2024

You need SW between FTD's and ISP routers.

MHM

moon_blue69 · ‎11-20-2024

Thank you. The ISP NTEs are layer 2 not sure how a switch in between is going to help and that switch will be a single point of failure.

MHM Cisco World · ‎11-20-2024

ISP NTE must interconnect to each other yoh need l2 between ftd outside interface.

Then use only outside for monitoring.

MHM

moon_blue69 · ‎11-21-2024

Would an active/active setup be a solution?

MHM Cisco World · ‎11-21-2024

FW HA active/active or active/standby need L2 SW interconnect both outside interface of FW.

MHM