cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2341
Views
0
Helpful
4
Replies

Deploying FTDv HA Pair on Vmware

lm20ele
Level 1
Level 1

Hello Community,

 

I would like to find out if it is possible to vmotion a A/S pair of FTDvs between two ESXs servers.

 

Thanks

1 Accepted Solution

Accepted Solutions

Yes this applies to HA deployments too. One of my past experiences with vMotion is FTDv getting into split brain due to loss of connectivity between the firewalls.

Few things to keep in mind,

1. Monitor all the interfaces of the firewall and not just the failover

2. https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/vmware/ftdv/ftdv-vmware-qsg.html#pgfId-3320895  - This was an important configuration surrounding vswitch that I had missed out in the past.

 

Ofcourse, all the pre-requisites from the document should be reviewed and addressed (if anything is missing)

View solution in original post

4 Replies 4

UdupiKrishna
Cisco Employee
Cisco Employee

Yes vMotion is supported, here are some guidelines to be followed - https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/vmware/ftdv/ftdv-vmware-qsg.html#15997

 

We recommend that you only use shared storage if you plan to use vMotion. During Firepower Threat Defense Virtual deployment, if you have a host cluster you can either provision storage locally (on a specific host) or on a shared host. However, if you try to vMotion the Firepower Threat Defense Virtual to another host, using local storage will produce an error. If you do not use shared storage, the VM needs to be powered down for migration to occur.

lm20ele
Level 1
Level 1

OK, yes I read this document but I also wanted to make sure it applies to FTDv HA. I wasnt sure if Live Migration was supported.

 

Can you confirm this is the case?

Yes this applies to HA deployments too. One of my past experiences with vMotion is FTDv getting into split brain due to loss of connectivity between the firewalls.

Few things to keep in mind,

1. Monitor all the interfaces of the firewall and not just the failover

2. https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/vmware/ftdv/ftdv-vmware-qsg.html#pgfId-3320895  - This was an important configuration surrounding vswitch that I had missed out in the past.

 

Ofcourse, all the pre-requisites from the document should be reviewed and addressed (if anything is missing)

@UdupiKrishna 

Regarding Monitor all the interfaces of the firewall and not just the failover, we found that when the vmnic fails, it doesn't trigger FTDv failover because vnic on the vswitch is still up. What will we need to do for FTDv to failover when the only vmnic for the FTDv is down.

Review Cisco Networking for a $25 gift card