Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
878
Views
0
Helpful
2
Replies

Firepower 2100 HA 2nd link not working

lst_Cisco
Level 1
Level 1

‎10-05-2018 02:27 AM - edited ‎03-12-2019 04:12 AM

Hi all,

 

we have a new setup where we connected our customer links directly to the two Firepower 2100 firewalls (HA pair).
Unfortunately, during a failover the 2nd link of our customer is not working.

 

The new setup is following:
2100 firewalls -- customer firewalls

 

In the old setup, where the 2nd link worked, there was a switch between the old firewalls and the customer firewalls

old firewall -- switch -- customer firewalls

 

I suspect in the new setup some issue with the MAC addresses & ARP

Is it supported to have a direct connection to another firewall? Or is a switch required between?

 

Can anyone help me?

 

Thanks!

 

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-05-2018 05:34 AM

When a Cisco firewall does failover (whether running ASA image or FTD image) the interface IP addresses move to the newly active unit. It sends out gratuitous ARPs on each data interface to notify the neighbor devices of the change in MAC addresses from old active unit to new active unit.

 

So an HA pair needs to have a switch of some type between it and any upstream router (or routed interface on another device such as a firewall).

0 Helpful

lst_Cisco
Level 1
Level 1
In response to Marvin Rhoads

‎10-05-2018 09:55 AM

Thanks for your answer!

Would it help to configure a active/standby mac address on the appliance in FMC?

Or would a switch be still required?

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card