Solved: Re: Firepower 1120 HA + FDM + status/protocol shows down/down - Page 2

am_rajan · ‎06-27-2023

I am a rookie, and I was hoping to get some support here.

Let me explain the situation.

I have 2 FP 1120 in an Active-Standby HA configuration.

I am using one failover link as a combined failover/state link which is interface 1/6

I am not using the management port instead I am using one of the dataport 1/7 for management.

I have LACP configured on the ISP side, hence I have to do etherchannel on my outside connection, which means interface 1/1 is configured (on both FP's) as LACP-Active with auto settings on both Fp's.

The FP with Primary-Active has an ip of xx.xx.xx.70 and the other FP is Secondary-Standby with an ip of xx.xx.xx.71

The devices behind the firewall can reach internet, I can do switchmode on both Fp's and it fails over fine. But when I check the show interface ip brief, I get confused. please see the details as below.

From the Primary-Active FP

> show failover state

State Last Failure Reason Date/Time

This host - Primary

Active None

Other host - Secondary

Standby Ready None

====Configuration State===

Sync Done - STANDBY

====Communication State===

Mac set

> show interface ip brief

Interface IP-Address OK? Method Status Protocol

Internal-Data0/0 unassigned YES unset up up

Port-channel1 xx.xx.xx.70 YES CONFIG down down

Ethernet1/1 unassigned unassociated unset down down

Ethernet1/2 unassigned YES unset admin down down

From the Secondary-Standby FP

> show failover state

State Last Failure Reason Date/Time

This host - Secondary

Standby Ready

Other host - Primary

Active

====Configuration State===

Sync Done

Sync Done - STANDBY

====Communication State===

Mac set

> show interface ip brief

Interface IP-Address OK? Method Status Protocol

Internal-Data0/0 unassigned YES unset up up

Port-channel1 xx.xx.xx. 71 YES manual up up

Ethernet1/1 unassigned unassociated unset down down

Ethernet1/2 unassigned YES unset admin down down

So my question is why is the portchannel1 status/protocol shows down/down on Primary-Active and shows up/up on the secondary-ready

I do understand that in a HA active-standby the standby unit doesnt allow any connectivity but here its the opposite plus why does it shows the status/protocol as DOWN.?

Any help or suggestion is appreciated.

am_rajan · ‎08-09-2023

Hello MHM,

Just to let you know that I removed the LACP and everything is working fine as normal. Thank you for helping me with the issue, and clarifying the incompatibility of LACP and HA.

It took sometime for me to check on these, hence the delay in response.

I do have some doubts on NAT/ACL but I will post that on a new one.

Once again thank you and have a good day ahead !!

MHM Cisco World · ‎06-28-2023

Last point
when you remove the LACP, and config the interface as normal please specify the standby IP, this IP will use for interface monitoring the FW mate, interface monitoring is important to prevent split brain issue.

Aref Alsouqi · ‎06-28-2023

I think it won't be used unless the failover link is broken.

am_rajan · ‎06-28-2023

Oh you are asking to put the standby ip ... okay

Maybe I will elaborate on this once more.

Say i have FTD1 with 192.168.2.1 and FTD2 with 192.168.2.2 and on the outside I have public ip .70 assigned to FTD1 and .71 assigned to FTD2.

So now, are you talking to keep standy ip on the public onse or private ones ? or both ?

MHM Cisco World · ‎06-28-2023

Both, we need standby IP, as I mention when failover link is down, the FW start send heart beat through the monitoring interface, and we need IP to send these heartbeat.
So you need standby IP in INside and OUTside

Aref Alsouqi · ‎06-29-2023

I think this would depend on the requirements, if the secondary public IP is needed then I would say we don't need to assign a standby IP on the outside interface. If it is not needed then yes it would be good to assign it to that interface. However, this is recommended but not mandatory, and that IP won't be used for any HA checks unless the HA link is broken between the two firewalls, but even in that case, it is not only that IP that will be the decision maker, in the sense if you have the standby IP address assinged to the inside interface, I think that would allow the firewalls to check on each other through that link which would be enough.

MHM Cisco World · ‎06-29-2023

I prefer use two data interface monitor, ONE INside other OUTside or two INside interface (in case there are two, sure with different nameif).
this My suggestion, and up to him he can use ONE or more interface for monitor.
thanks a lot
MHM

Aref Alsouqi · ‎06-29-2023

My understanding is that you can still monitor the interface even if you don't have a standby IP assigned to it. The standby IP purpose would be for management, troubleshooting, and as we said if the HA link gets broken, the firewalls would use the standby IP to check on each other.

MHM Cisco World · ‎06-29-2023

I think monitoring packet is L3 packet not L2 frame and hence it need IP to exchange between two FW.
so IP is mandatory for any interface use as monitoring interface

Aref Alsouqi · ‎07-02-2023

That makes sense friend, would be good to test this but unfortunately I don't have any access to any lab to lab it up.