Firepower vmotion work around

DSMCisco2010 · ‎03-21-2017

Is there a work around for firepower vmotion. I vmotioned my firepower VM and network traffic stop. I had to migrate the VM back to the initial physcial host for traffic to flow.

My concern is:

1. What if the physical server the VM resides on stopped working?

2. Will I be able to shutdown the VM and migrate it to another physical host or will it only work on the physical host it currently resides on.

3. If the host has issues and vMotions the firepower vm via HA, then the network will be down again until somebody manually restarts the firepower module?

Oliver Kaiser · ‎03-24-2017

I think you are already aware that vmotion is not supported for virtual NGIPS/FTD. Theoretically it should work (RARP is sent after vMotion, so if you have a distributed portgroup with promiscuous mode active on both hosts traffic forwarding should work without issues) but no firewall vendors will support it since there could be traffic disruption due to vmotion.

To work around this limitation you could use HA. Bundle two virtual FTDs into an HA pair using FMC. If you only want to rely on infrastructure HA using vMotion you would have to calculate with downtime if your host is down. If the VM resides on a shared storage and the same portgroup is available on another host, it will work fine, rebooting on another host works.

Considering your third question... I dont think a reboot will be required but I will check that in my lab and get back to you. :)