cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

484
Views
0
Helpful
2
Replies
Highlighted
Beginner

Firepower 2100 HA 2nd link not working

Hi all,

 

we have a new setup where we connected our customer links directly to the two Firepower 2100 firewalls (HA pair).
Unfortunately, during a failover the 2nd link of our customer is not working.

 

The new setup is following:
2100 firewalls -- customer firewalls

 

In the old setup, where the 2nd link worked, there was a switch between the old firewalls and the customer firewalls

old firewall -- switch -- customer firewalls

 

I suspect in the new setup some issue with the MAC addresses & ARP

Is it supported to have a direct connection to another firewall? Or is a switch required between?

 

Can anyone help me?

 

Thanks!

 

2 REPLIES 2
Highlighted
Hall of Fame Guru

When a Cisco firewall does failover (whether running ASA image or FTD image) the interface IP addresses move to the newly active unit. It sends out gratuitous ARPs on each data interface to notify the neighbor devices of the change in MAC addresses from old active unit to new active unit.

 

So an HA pair needs to have a switch of some type between it and any upstream router (or routed interface on another device such as a firewall).

Highlighted

Thanks for your answer!

Would it help to configure a active/standby mac address on the appliance in FMC?

Or would a switch be still required?

 

Content for Community-Ad