Re: Disabling a vlan interface in inside network does not trigger fail

Ditter · ‎09-26-2024

Hi to all,

there is a port-channel interface that has various sub-interfaces (vlans).

The FTDs are in a high availability pair.

I have configured one specific vlan interface with primary and backup ip.

The problem i have is that when i disable this vlan interface (inside zone) although it is configured as monitored interface , it does not trigger the failover to the second ftd configured with the backup IP.

> show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER-AND-STATE-LINK Ethernet1/12 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 1293 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.18(4)210, Mate 9.18(4)210
Last Failover at: 19:19:42 UTC Sep 25 2024
This host: Primary - Active
Active time: 61025 (sec)
slot 0: FPR-2140 hw/sw rev (1.5/9.18(4)210) status (Up Sys)
Interface Eth-Trunk1 (0.0.0.0): Normal (Not-Monitored)
Interface vlan_3 (192.168.90.40/fe80::10): Normal (Monitored)
Interface vlan_27 (192.168.0.1/fe80::10): Normal (Monitored)
Interface diagnostic (0.0.0.0): Normal (Not-Monitored)
slot 1: snort rev (1.0) status (up)
slot 2: diskstatus rev (1.0) status (up)
Other host: Secondary - Standby Ready
Active time: 196928 (sec)
Interface Eth-Trunk1 (0.0.0.0): Normal (Not-Monitored)
Interface vlan_3 (192.168.90.41/fe80::10): Normal (Monitored)
Interface vlan_27 (192.168.0.2): Normal (Monitored)
Interface diagnostic (0.0.0.0): Normal (Not-Monitored)
slot 1: snort rev (1.0) status (up)
slot 2: diskstatus rev (1.0) status (up)

Finally a minimum of one interface is configured for the failover is configured as you can see in the png attached.

interface Port-channel1.3
vlan 3
nameif vlan_3
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.90.40 255.255.255.0 standby 192.168.90.41

and

ip verify reverse-path interface vlan_3

Any ideas why is this not working?

Thanks

Ditter

Aref Alsouqi · ‎09-26-2024

When you disable that interface it will be disabled on both firewalls, so that would not be considered as a failure from the failover perspective. If you want to simulate a failover, you can turn off the switch port to which the primary firewall inside interface is connected, that should trigger the failover.

Ditter · ‎09-29-2024

Hi @Aref Alsouqi and @MHM Cisco World , i see your point. I will do some trials about this, but i recall that i have tested the scenario you describe and it successfully switches to the failover unit. However as the various vlans are trunk members i will have to shutdown the trunk of FTD-1 to the attaching switch.

I will let you know about the results.

Thanks,

Ditter

Ditter · ‎09-29-2024

Hi @Aref Alsouqi what i did in order to simulate the failover was to shutdown the physical interface of the FTD that connects to a switch (in fact i did shut the FTD interface at the switch side).

This triggered the failover , but with one small detail ( i didn't have any monitored interface !!) , however the HA worked fine as the secondary FTD became primary.

How is this possible with no monitored interfaces active?

Thanks,

Ditter

Aref Alsouqi · ‎10-01-2024

You don't need the standby IP addresses for the failover to happen. Regarding monitoring the interfaces, I think by default they are monitored and as @balaji.bandi mentioned, the interface monitoring in case of the subinterfaces would work on the physical interface.

Ditter · ‎10-01-2024

Hi @Aref Alsouqi what is the meaning of backup IPs in the secondary FTD if they are not needed for the failover to happen?

Thanks,

Ditter

Aref Alsouqi · ‎10-02-2024

Hi @Ditter, the standby (I think it's called secondary IP on FTD) IP addresses you configure on the data interfaces are not a pre-req for the failover to happen. Those addresses help with checking the status of the interfaces between the failover peers. When an interface is monitored and has a standby IP configured, the local peer will send a summary of that interface health to the peer. However, if a hardware failure happen on the active firewall as an example, failover will still happen, also if the passive firewall doesn't receive any message from the active firewall over the failover control link, that would also trigger the failover.

The standby IP addresses would also help with external monitoring. For instance if you have a network monitor tool that would check the devices availability on the network, then with the standby IP addresses you can do that. Another thing to mention is that when you don't configure the standby IP addresses, the passive firewall data interfaces would not have any MAC address for those interfaces on the switch. Another use case where the standby IP addresses come into handy is if you want to jump on the passive firewall through its data interfaces then that could also be done. In summary, it is definitely a best practice to configure the standby IP addresses on the data interfaces, but they are not mandatory.

The only scenario that I can think of where you would try to avoid configuring the standby IP addresses would be on the outside interfaces where you have public IP addresses assigned. Configuring a standby IP address on the outside interface in this case would mean consuming an additional public IP address that is setting there doing nothing in terms of data traffic, so if you have bunch of spare public IP addresses then that's not an issue, however, if you are limited with the public IP addresses then that could become an issue.

Ditter · ‎10-03-2024

Thanks for the detailed answer @Aref Alsouqi , i got all of your points.

MHM Cisco World · ‎09-26-2024

Do you monitor this interface

MHM

Ditter · ‎09-29-2024

Hi @MHM Cisco World , yes i monitor the interface, it is vlan 3 which is monitored.

MHM Cisco World · ‎09-30-2024

are you use subinterface as failover link or state link ?

If NO
then
when you disable the Inside interface the active will sync the command to standby so that the standby will also disable the link here there is tie and there is no failover since both have one failed link

you need
A-try shut the link to active in SW
B- try remove the cable between active and SW

this will force failover

MHM

Ditter · ‎09-30-2024

Hi @MHM Cisco World , thanks for the reply ,

i am using a different physical gig interface for the failover , which is connected to different switch , that is FTD-1 is in the CR-1 and the failover interface is connected to switch-1 , different from the backbone switch i have the ether-channel interface with all user vlans.

Same picture for FTD-2 which is in CR-2 , its failover interface is on different physical switch from the backbone switch where the user vlans exist.

My question is how the failover works (even if i do not configure monitored interfaces and/or backup IP addresses on the secondary FTD).

I tested it by shutting the trunk port on FTD-1 (primary) without having monitored interfaces and it works fine ! Shouldn't be there monitored interfaces for this to work?

That is what i can not understand.

Thanks

Ditter.

MHM Cisco World · ‎10-01-2024

""without having monitored interfaces and it works fine"" <<<- will investigate that

thanks for waiting

MHM

MHM Cisco World · ‎10-03-2024

when you remove the IP from standby and monitored the interface are the interface go to ""waiting"" or keep in ""monitored""

when you remove the IP form standby and use command to not monitored the interface are the interface go to ""non-monitored""

MHM

Ditter · ‎10-03-2024

Hi @MHM Cisco World , when i remove the standby IP and monitored status the interfaces go ton non-monitored state. I get this forbitten driving sign under the monitoring column.

Disabling a vlan interface in inside network does not trigger failover