Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
909
Views
6
Helpful
8
Replies

Firewall Active/Standby failover in case of Failover or state link

Go to solution
inhamit
Level 1
Level 1

‎04-24-2023 09:33 PM

Hi, I want to know if any or both of the Failover or state link between firewall failed which is required for HA configuration, which firewall will be active, How we can come to know that HA link between firewalls goes break to take the corrective action?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-25-2023 12:30 AM - edited ‎04-25-2023 01:21 AM

@inhamit if the failover/state link fails there will be no failover, so the current active firewall will remain active. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/high-availability.html

Monitor the firewall and individual interfaces using SNMP, this will alert you of the interface failure.

View solution in original post

8 Replies 8

Go to solution
Rob Ingram
VIP
VIP

‎04-25-2023 12:30 AM - edited ‎04-25-2023 01:21 AM

@inhamit if the failover/state link fails there will be no failover, so the current active firewall will remain active. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/high-availability.html

Monitor the firewall and individual interfaces using SNMP, this will alert you of the interface failure.

Go to solution
DanielP211
VIP Alumni
VIP Alumni

‎04-25-2023 12:43 AM

Hello inhamit,

No FW will become active, the FW's will test the other links before the split-brain scenario. I would still recommend you configure the failover link over a redundant link (in this case you have the option for redundancy on HA link). To monitor the interfaces use monitor ifname.

An example of config would be:

interface Redundant 1
member-interface GigabitEthernetX/X
member-interface GigabitEthernetX/X


failover
failover lan unit primary
failover lan interface failover Redundant1
failover replication http
failover link failover Redundant1
failover interface ip failover X.X.X.X XX.XX.XX.0 standby X.X.X.Y


****Kindly rate all useful posts*****

Go to solution
inhamit
Level 1
Level 1
In response to DanielP211

‎04-25-2023 01:41 AM

Can we have redundant link for both state and failover link? what is the difference between Failover and State link?

Go to solution
MHM Cisco World
VIP
VIP
In response to inhamit

‎04-25-2023 02:04 AM

Firepower Management Center Configuration Guide, Version 6.4 - High Availability for FTD [Cisco Secure Firewall Management Center] - Cisco

you can use PO for failover BUT there is some note you need to check, see above link 

for what different the different the failover link excahnge the config and heartbeat between two FW and status exchange the connection status (replication of traffic status)

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎04-25-2023 01:08 AM

Both exchange message through the other interface' when standby detects that specific percentage of monitors interface is not receive messages then standby will become active.

Here cisco recommends to faster detect failover and repair it' otherwise you will face splits brain.

Go to solution
MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎04-25-2023 01:47 AM - edited ‎04-25-2023 01:54 AM

check above 

Go to solution
inhamit
Level 1
Level 1
In response to MHM Cisco World

‎04-25-2023 02:03 AM

So the best way to have redundant link for Failover and State link between the firewall total 2 dedicated ports on each firewall. can we have redundant link for state link? Any config?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card