Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2350
Views
0
Helpful
4
Replies

Deploying FTDv HA Pair on Vmware

Go to solution
lm20ele
Level 1
Level 1

‎04-13-2022 04:07 PM

Hello Community,

 

I would like to find out if it is possible to vmotion a A/S pair of FTDvs between two ESXs servers.

 

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee
In response to lm20ele

‎04-13-2022 05:17 PM

Yes this applies to HA deployments too. One of my past experiences with vMotion is FTDv getting into split brain due to loss of connectivity between the firewalls.

Few things to keep in mind,

1. Monitor all the interfaces of the firewall and not just the failover

2. https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/vmware/ftdv/ftdv-vmware-qsg.html#pgfId-3320895  - This was an important configuration surrounding vswitch that I had missed out in the past.

 

Ofcourse, all the pre-requisites from the document should be reviewed and addressed (if anything is missing)

View solution in original post

0 Helpful
4 Replies 4

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee

‎04-13-2022 04:49 PM

Yes vMotion is supported, here are some guidelines to be followed - https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/vmware/ftdv/ftdv-vmware-qsg.html#15997

 

We recommend that you only use shared storage if you plan to use vMotion. During Firepower Threat Defense Virtual deployment, if you have a host cluster you can either provision storage locally (on a specific host) or on a shared host. However, if you try to vMotion the Firepower Threat Defense Virtual to another host, using local storage will produce an error. If you do not use shared storage, the VM needs to be powered down for migration to occur.

0 Helpful

Go to solution
lm20ele
Level 1
Level 1

‎04-13-2022 04:54 PM

OK, yes I read this document but I also wanted to make sure it applies to FTDv HA. I wasnt sure if Live Migration was supported.

 

Can you confirm this is the case?

0 Helpful

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee
In response to lm20ele

‎04-13-2022 05:17 PM

Yes this applies to HA deployments too. One of my past experiences with vMotion is FTDv getting into split brain due to loss of connectivity between the firewalls.

Few things to keep in mind,

1. Monitor all the interfaces of the firewall and not just the failover

2. https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/vmware/ftdv/ftdv-vmware-qsg.html#pgfId-3320895  - This was an important configuration surrounding vswitch that I had missed out in the past.

 

Ofcourse, all the pre-requisites from the document should be reviewed and addressed (if anything is missing)

0 Helpful

Go to solution
Amitabha
Level 1
Level 1
In response to UdupiKrishna

‎06-27-2023 05:09 PM

@UdupiKrishna 

Regarding Monitor all the interfaces of the firewall and not just the failover, we found that when the vmnic fails, it doesn't trigger FTDv failover because vnic on the vswitch is still up. What will we need to do for FTDv to failover when the only vmnic for the FTDv is down.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card