Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
866
Views
2
Helpful
5
Replies

Firepower Failover behavior

Go to solution
Wrecktangle
Level 1
Level 1

‎03-14-2023 01:52 PM

Context: Just got an pair of FTD 4140s and 2140s HA configured.  They're at v7.0.5 with vFMC and wondering how the FTDs handle failover scenarios.  For this question, monitoring is enabled for L2 and L3 interfaces and I have a single Inside (access) and Outside (trunked) configured for each appliance (just for the example, not actual config).

The Question: Is there a difference in the failover behavior when an entire appliance goes offline versus when an interface goes offline?  For example and pretty obvious, if my primary (active) 4140 goes offline for whatever reason, the standby will become active.  However, what if an individual interface, L2 or L3, on the primary (active) goes offline?  Does the interface itself failover to the standby?  Or does the entire standby unit become active?

Addt'l Question: Does the failover behavior change when Etherchannel/Port-channels are configured?

Regards,

Wreckt

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Wrecktangle

‎03-14-2023 02:44 PM

If the portchannel was dedicated per interface, then all interfaces would need to go down to dictate a failover.

If you were using sub interfaces on the portchannel and the sub interface went down, that would cause a failover.

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎03-14-2023 01:57 PM - edited ‎03-14-2023 01:58 PM

@Wrecktangle by default the failure of an interface on the Active Firewall (whether it's physical or logical) would cause the standby FTD appliance (the entire standby unit) to become active.

0 Helpful

Go to solution
Wrecktangle
Level 1
Level 1
In response to Rob Ingram

‎03-14-2023 02:34 PM

@Rob Ingram wrote:(whether it's physical or logical) would cause the standby FTD appliance (the entire standby unit) to become active.

Assuming this includes etherchannel/port-channels (logical), why would one use an etherchannel/port-channel say in the case of a 2 or 4-port etherchannel if it will failover if any of those ports go down?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Wrecktangle

‎03-14-2023 02:44 PM

If the portchannel was dedicated per interface, then all interfaces would need to go down to dictate a failover.

If you were using sub interfaces on the portchannel and the sub interface went down, that would cause a failover.

Go to solution
Wrecktangle
Level 1
Level 1
In response to Rob Ingram

‎03-14-2023 04:03 PM

Appreciate the enlightenment!

0 Helpful

Go to solution
Eric R. Jones
Level 4
Level 4

‎03-14-2023 02:16 PM

This is the information I used when deploying our FTD's with FMC frontend. https://www.cisco.com/c/en/us/td/docs/security/firepower/630/fdm/fptd-fdm-config-guide-630/fptd-fdm-ha.html

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card