I got a Cisco FTD cluster (managed by Cisco FMC) deployed in Azure. I have configured loadbalancer so that the traffic is evenly balanced between the two FTDv devices because there is no concept of HA in Azure. The loadbalance are probing (Health Probes) the FTDv on TCP port 22 (SSH) to check the availability of both FTDv's. If the loadbalancer doesn't get a response from FTDv on probes (TCP port 22 SSH) the device is marked as unavailable and no traffic is send to the device.
I have created ACP rules for the probes from Azure IP address 188.8.131.52 and I can see the events. Somehow the Azure can't probe the FTDv's and they are marked as "dead" and no traffic are routed through the firewalls. When this is happening I logged into firewall and it seems everything is working fine and I can't see any blocked events or Azure IP address 184.108.40.206.
Has someone got a similar issue and I hope to receive suggestions on how to troubleshoot this issue.
Provided the routing of this traffic is configured properly, these health probes are "to" the firewall itself and ACP rules are generally meant for traffic which is "through" the firewall, you need to permit SSH via the platform settings attached to this FTD pair.
Navigate to the platform settings, under secure shell select the correct interfaces and permit any-ipv4 address for testing and deploy the policy. Verify the outcome, it would be a good idea to run packet captures if needed.
Alright thats a good first step. Run a capture to see if its landing on the correct interface and there are responses going back to complete a proper 3-way handshake. If it isnt, there's obviously some sort of connectivity failure.