FirePower HA Problem when FTD change status Failed to Standby

VuongLe · ‎05-19-2019

Hello,

I have 2 FTD join FMC and config HA with FTD1 roles Primary and Active, FTD 2 roles Secondary and Standby.

I connected 2 FTD with 2 Switch via 2 Port-channel. (attach image).

2 Switches run stack.

I had problem when Port channel 11 down so FTD 2 changed status from Standby to Failed and everything is OK.

but when I up Port channel 11, FTD 2 changes status from Failed to Standby and sent ARP to my switch. After that, switch update ARP of Active IP of 2 FTD to Port channel 11 ( traffic sent to FTD 2 standby ) so system is DOWN.

I must clear arp-cache of switch to change ARP and switch sent traffic via Port channel 10, after that it's OK.

Is problem in Switch or FTD ?

What does FTD 2 do when it change status from Failed to Standby ?

Marvin Rhoads · ‎05-20-2019

When an FTD appliance (or ASA for that matter) goes from Secondary-Failed to Secondary-Standby status, it should not affect the adjacent devices. Only when it goes from Secondary-Standby to Secondary-Active should it send out a gratuitous ARP taking over the primary IP for its interfaces.

It would be interesting to see the failover configuration and a capture of the relevant ARP traffic taken during an event such as you describe. It may be easier though to open a TAC case and have them take a look at it in real time.

VuongLe · ‎05-21-2019

Thanks Marvin, I opened TAC case and we are troubleshooting