Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
414
Views
0
Helpful
1
Replies

Cisco FTD Failover Behavior

SHABEEB KUNHIPOCKER
Level 3
Level 3

‎02-07-2025 12:56 AM

Hello Guys,

I am testing the active-passive failover in FTD. First of all the failover works fine for me, but I have query related to the timeouts I received during the testing. My testing process is as follows.

Let’s say I have two FTDs, FTD-01 (primary unit) and FTD-02(Secondary Unit). In normal scenario FTD-01 is active and FTD-02 is standby.

1. From my laptop I pinged 8.8.8.8 and then removed E1/1 from FTD-01. I received two request timeouts and then it started to ping.

2. I reconnected the E1/1 to the FTD-01 and removed E1/1 from the FTD-02. I received 4 request timeouts and then it started to ping.

 

My concern is the difference in timeouts between step 1 and step 2. After failover to FTD-02, I immediately reconnected the E1/1 to FTD-01 and then removed E1/1 from FTD-02. I doubt this aggressive failover actions (without giving the ASA time to settle down) are causing the difference in the timeouts. Once the FTD-02 becomes active does it hold down for some time even if it detects an interface failure?. 

0 Helpful
1 Reply 1

ccieexpert
VIP
VIP

‎02-07-2025 10:46 PM

Hello

I think your tests are not the same .. I think you should let things stabilize.

The firewall failover or flapping multiple times is not the feature is meant to serve although it works. The real use case is for a standby unit to takeover from a previous active unit.

your step 1 is a simple failover from active unit to a standby unit

your step 2 is actually a little more inolved - you are restoring a standby unit F1 that is not standby ready... it is not ready to take over immediately as it is in a failed state due to interface failure. For it to take over immedately, it should have been standby ready. So when you plug in f1 interface and immediately disconnect f2 interface, f1 as to start through a more elaborate process to elect it as active unit.

see this guide

https://www.cisco.com/c/en/us/support/docs/availability/high-availability/217763-troubleshoot-firepower-threat-defense-hi.html#toc-hId--1435216742

I would suggest in your step2, to split into sub-tasks

a) leave ftd2 as active unit

b) plug ftd1 interrface and wait till it become standby ready

c) now  disconnect ftd2 interrface

i would think thatthe ping loss should be similar to step 1

Hope that helps

**Please rate helpful posts**

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card