cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
730
Views
0
Helpful
2
Replies

Firepower 2100 HA 2nd link not working

lsteinha
Level 1
Level 1

Hi all,

 

we have a new setup where we connected our customer links directly to the two Firepower 2100 firewalls (HA pair).
Unfortunately, during a failover the 2nd link of our customer is not working.

 

The new setup is following:
2100 firewalls -- customer firewalls

 

In the old setup, where the 2nd link worked, there was a switch between the old firewalls and the customer firewalls

old firewall -- switch -- customer firewalls

 

I suspect in the new setup some issue with the MAC addresses & ARP

Is it supported to have a direct connection to another firewall? Or is a switch required between?

 

Can anyone help me?

 

Thanks!

 

2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

When a Cisco firewall does failover (whether running ASA image or FTD image) the interface IP addresses move to the newly active unit. It sends out gratuitous ARPs on each data interface to notify the neighbor devices of the change in MAC addresses from old active unit to new active unit.

 

So an HA pair needs to have a switch of some type between it and any upstream router (or routed interface on another device such as a firewall).

Thanks for your answer!

Would it help to configure a active/standby mac address on the appliance in FMC?

Or would a switch be still required?

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: