cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2520
Views
9
Helpful
24
Replies

Firepower 1120 HA + FDM + status/protocol shows down/down

am_rajan
Level 1
Level 1

I am a rookie, and I was hoping to get some support here.

 

Let me explain the situation.

 

I have 2 FP 1120 in an Active-Standby HA configuration.

I am using one failover link as a combined failover/state link which is interface 1/6

I am not using the management port instead I am using one of the dataport 1/7 for management.

 

I have LACP configured on the ISP side, hence I have to do etherchannel on my outside connection, which means interface 1/1 is configured (on both FP's) as LACP-Active with auto settings on both Fp's.

 

The FP with Primary-Active has an ip of xx.xx.xx.70 and the other FP is Secondary-Standby with an ip of xx.xx.xx.71

 

The devices behind the firewall can reach internet, I can do switchmode on both Fp's and it fails over fine. But when I check the show interface ip brief, I get confused. please see the details as below.

 

From the Primary-Active FP

 

> show failover state

 

               State          Last Failure Reason      Date/Time

This host  -   Primary

               Active         None

Other host -   Secondary

               Standby Ready  None

 

====Configuration State===

        Sync Done - STANDBY

====Communication State===

        Mac set

 

> show interface ip brief

Interface                  IP-Address      OK?           Method Status      Protocol

Internal-Data0/0           unassigned      YES           unset  up          up

Port-channel1              xx.xx.xx.70     YES           CONFIG down        down

Ethernet1/1                unassigned      unassociated  unset  down        down

Ethernet1/2                unassigned      YES           unset  admin down  down

 

 

From the Secondary-Standby FP

 

> show failover state

 

               State          Last Failure Reason      Date/Time

This host  -   Secondary

               Standby Ready                 

Other host -   Primary

               Active         

 

====Configuration State===

        Sync Done

        Sync Done - STANDBY

====Communication State===

        Mac set

 

> show interface ip brief

Interface                  IP-Address      OK?           Method Status      Protocol

Internal-Data0/0           unassigned      YES           unset  up          up

Port-channel1              xx.xx.xx. 71    YES           manual up          up

Ethernet1/1                unassigned      unassociated  unset  down        down

Ethernet1/2                unassigned      YES           unset  admin down  down

 

 

So my question is why is the portchannel1 status/protocol shows down/down on Primary-Active and shows up/up on the secondary-ready

I do understand that in a HA active-standby the standby unit doesnt allow any connectivity but here its the opposite plus why does it shows the status/protocol as DOWN.?

 

Any help or suggestion is appreciated.

2 Accepted Solutions

Accepted Solutions

The fw ha active/standby dont support port channel'

Only cluster support port channel.

View solution in original post

24 Replies 24

The fw ha active/standby dont support port channel'

Only cluster support port channel.

am_rajan
Level 1
Level 1

Thank you for your quick response, And forgive me if it's a foolish question.

So basically Clusters can can have multiple FP's but all active where in HA will be 2 devices with Active/Standby ? is that what you mean ?
I was just quickly checking the ASA we have and I have 2 ASA, which are again in Active/standby mode with portchannel enabled but that shows up fine ? so is that limitation of FP?

Not limitation, 
in cluster you have only one control plane and you can use LACP (port channel)
in FW HA active/standby you have two control plane and hence you can not config LACP (channel)

for OUTside you need L2SW connect ISP and both FPR, that what you need.

You can configure port channels on FDM in HA, however, on the FDM side all the port channel cables should be connected to the same device, you can't split them across the two firewalls, otherwise you might get err-disable on the switch side. For example if you want to configure a port channel grouping two interfaces then you would need to connect interfaces ethernet1/1 and ethernet1/2 on the same firewall to the switch. You would then need to do the same on the other FDM. From the switch perspective you would need to configure two port channels, one for the cables coming from FDM 1 and another for the cables coming from FDM 2. So you will have four cables going to the switch, two cables coming from each FDM. If you have two switches in stack then you can connect the FDM ethernet1/1 cable to switch 1 and the cable coming from ethernet1/2 to switch 2, but you can't do this on the firewalls.

am_rajan
Level 1
Level 1

Thank you for the responses. 

My topology is like this.

Servers > Switch (Stacked) > Firewall (HA) > Internet (ISP Router Datacenter)

The Lacp is configured on Port 1/1 and no other ports are added to it. The more I read about this, I think its better to remove LACP and just have it configured under a normal HA active-standby setup. 

So my last question on this matter.

From MY ISP I have 2 public ips ( .70 & .71(Primary ip and Standby ip) and Keeping the HA active-standby setup without lacp, I can provide let's say .70 to active and .71 to standby and keep that running as a normal active-standby setup correct? 

is that a correct setup ? 

 

If the port channel is comprised of one single interface then it doesn't make sense to have it. So as you said, you can just remove it and configure that interface as a normal interface.

Regarding the IP addresses, you don't have to assign each firewall with a different IP unless you want to be able to access the secondary firewall via that IP or you want to use for monitoring such as ping as an example. In that case the second IP would be the standby IP assigned to that interface, but it is not mandatory.

In the Active/Standby HA deployment the firewalls will move the IP and the MAC addresses to the active device. For example, if you configure port1/1 with the IP .70, and the primary is the active, that primary device will respond to any traffic sent to the .70 IP and if a failover should happen, that .70 IP will move to the secondary firewall, so now the secondary firewall will start responding to the traffic destined to the .70.

My recommendation is not to configure a standby IP on the outside interface because you only have two, so the second IP .71 could be useful if you want to create a static NAT rule for something inside your network that needs to be accessed from the external, or maybe you want to dedicate that IP for guest flow so if something bad happens and that IP gets marked as a spammer it doesn't affect your production which would be using the .70.

Thank you for your response. your response is in line with the documentation which I read about the HA functionality and I agree that it doesnt make sense to have a LACP configured with 1port ( I mean where is the lacp right ?

That part is clear thank you.

The primary ip and secondary ip is asked during the configuration on LACP so I am not sure whether that will be asked when we remove the LACP and keep it as a simple and normal HA with active-standby configuration. please have a look at the pic attached.

So this is asked when we configure the LACP. So hopefully it wont be asked or needed while we remove lacp correct ? 

I was kind of confident with the HA part but when the LACP got integrated in to HA, thats when I am getting all confused.

 

 

You're welcome. That will be the same when you remove the port channel interface and you try to configure the interface as a normal interface. However, you don't have to configure that standby IP, you can just ignore it as it is optional.

Super Aref, I really appreciate your support on this matter.

I just want to be done with this today, so I will be making the changes on the firewall and will ask the ISP to remove the LACP settings from their side (uplinks) and will see how it goes. I will keep you posted.

Thank you and have a good day ahead !!

Hello Aref,

Just to let you know that I removed the LACP and everything is working fine as normal. Thank you for helping me with the issue, and clarifying the incompatibility of LACP and HA.

It took sometime for me to check on these, hence the delay in response.

I do have some doubts on NAT/ACL but I will post that on a new one.

Once again thank you and have a good day ahead !! 

From MY ISP I have 2 public ips ( .70 & .71(Primary ip and Standby ip) and Keeping the HA active-standby setup without lacp, I can provide let's say .70 to active and .71 to standby and keep that running as a normal active-standby setup correct? Can you elaborate I dont get your Q here 

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html

First check this guide'

Second keep in your mind that 

FW both and edge router must share same subnet ALWAYS.

Thank you for your response.

Yes they are in the same subnets, I will remove the lacp and see how it works

Thank you !

You are So welcome 

Review Cisco Networking for a $25 gift card