cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1567
Views
9
Helpful
15
Replies

Disabling a vlan interface in inside network does not trigger failover

Ditter
Level 4
Level 4

Hi to all,

there is a port-channel interface that has various sub-interfaces (vlans).

The FTDs are in a high availability pair.

I have configured one specific vlan interface with primary and backup ip.

The problem i have is that when i disable this vlan interface (inside zone) although it is configured as monitored interface , it does not trigger the failover to the second ftd configured with the backup IP.

 

> show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER-AND-STATE-LINK Ethernet1/12 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 1293 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.18(4)210, Mate 9.18(4)210
Last Failover at: 19:19:42 UTC Sep 25 2024
This host: Primary - Active
Active time: 61025 (sec)
slot 0: FPR-2140 hw/sw rev (1.5/9.18(4)210) status (Up Sys)
Interface Eth-Trunk1 (0.0.0.0): Normal (Not-Monitored)
Interface vlan_3 (192.168.90.40/fe80::10): Normal (Monitored)
Interface vlan_27 (192.168.0.1/fe80::10): Normal (Monitored)
Interface diagnostic (0.0.0.0): Normal (Not-Monitored)
slot 1: snort rev (1.0) status (up)
slot 2: diskstatus rev (1.0) status (up)
Other host: Secondary - Standby Ready
Active time: 196928 (sec)
Interface Eth-Trunk1 (0.0.0.0): Normal (Not-Monitored)
Interface vlan_3 (192.168.90.41/fe80::10): Normal (Monitored)
Interface vlan_27 (192.168.0.2): Normal (Monitored)
Interface diagnostic (0.0.0.0): Normal (Not-Monitored)
slot 1: snort rev (1.0) status (up)
slot 2: diskstatus rev (1.0) status (up)

Finally a minimum of one interface is configured for the failover is configured as you can see in the png attached.

interface Port-channel1.3
vlan 3
nameif vlan_3
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.90.40 255.255.255.0 standby 192.168.90.41

and

ip verify reverse-path interface vlan_3

Any ideas why is this not working? 

Thanks

Ditter

15 Replies 15

balaji.bandi
Hall of Fame
Hall of Fame

I believe this is because you using sub-interface. check the failover scenarios :

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/fdm/fptd-fdm-config-guide-630/fptd-fdm-ha.html

also check some detailed explanation how that trigger occurs for failover :

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215351-configure-verify-and-troubleshoot-port.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Review Cisco Networking for a $25 gift card