cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6836
Views
0
Helpful
1
Replies

FMC Breaking HA questions?

Dear all,

I have 3 FTDs 2100 version 6.2.3 connected and configured by Virtual FMC (6.2.3). Two of the three FTDs are configured in HA mode as per attached.

I want to break the HA in which FTD_02 which is the active (as attached) keeps working and processing data normally.

1- By clicking the break button, what will happens?

as stated from cisco that all config from standby will be erased except ACP. is that right?

2- The FTD_1 which was the standby(172.31.99.26), i want to remove it from the virtual FMC with its smart license, will the command > configure manager delete in the FTD itself enough to that?

 

3- step no 5 here (https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html), states that in Primay FTD, all failover config removed but standby IP`s remain, and in the standby FTD all config has removed, can i stop here as in step 6 (disabling HA) will result in both FTDs to be removed from FMC and i want to keep the primary one as it is?????

 

4- If step 6 in above link is mandatory, will the suspend HA fulfill my requirement, as my requirement is to full delete the standby FTD, primary FTD keeps working and processing traffic, have the full time to add the standby FTD to another FMC which is FMC1000, assure all the configuration in the FMC 1000 as in virtual, then switch cables from virtual FMC to FMC 1000 and make FMC 1000 and the FTD added to it to process the traffic????

 

5- Finally, delete the Primary FTD from the virtual FMC and add it to the FMC 1000 after creating HA between it and the FTD added before. In which Primary FTD in virtual FMC became Standby in FMC 1000 & vice versa.

 

Hope to have a full answers and thanks for advance.

 

regards,

 

 

1 Reply 1

Abheesh Kumar
VIP Alumni
VIP Alumni

Hi,

First of all please take a maintenance window for this activity. So Your plan is to move the HA FTD from vFMC to FMC 1000 with same FMC IP right...? 

My suggestion is to go with a different IP for FMC as there is already a standalone FTD 2120 is registered on the vFMC

 

Lets begin.

Step 1 : Break HA from the device menu on FMC. This will break HA and all configuration of standby FTD will get erased except ACP. Both the FTD become standalone nowon FMC

Step 2 : Delete the old standby FTD from vFMC

Step 3: login to the old standby FTD cli and delete the manager and add the new manager IP (FMC 1000)

Step 4: Add the old standby FTD to new FMC1000 and make sure the ACP on vFMC is same as on the FMC1000

Step 5 : Interface and routing configuration need to be done after adding old standby FTD to FMC1000

Step 6: Unplug the cables (Inside/Outside/DMZ) from the old Primary FTD as there will be a IP conflict when you configure the primary IP to the old standby FTD.

Step 7: Deploy the configurations and check the connection events of traffic.

Step 8: Delete the old Primary FTD from vFMC and login to the cli of old Primary FTD and delete the manager and add the new manager (FMC 1000)

Step 9: After adding old Primary FTD to FMC 1000, then add to HA

Step 10: Verify HA 😊😊😊😊

 

Hope this Helps

Abheesh

 

Review Cisco Networking for a $25 gift card