Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3557
Views
0
Helpful
3
Replies

FMC- FTD (Primary Unit ) is not participating in HA.

bibek_deo
Level 1
Level 1

‎02-01-2021 10:05 AM

Dear All,

I have a standalone FMC managing 2 FTDs in HA, Recently I observed that Primary unit is showing disabled and secondary take on as active.

 

During trouble shooting,

  1. It is found that I could not ping Manager(FMC) from primary unit [FTD]
  2. I could see there is no tunnel communication happening ( communication on port 8305 is showing in listen mode]
  3. I am not able to ping primary unit [FTD] own management IP ,Default gateway [ The management IP of FMC , FTD and Firewall chassis manger are part of same VLAN(subnet)
  4. But I can ping FTDs from Firewall chassis manger and I am able to login primary unit [FTD]
  5. When I Checked the interface status in primary unit [FTD] it shows ‘STATUS’ “ Admin down”  & protocal " UP" on Data and Failover ports,
  6. Primary unit [FTD] shown in HA “ Standalone”.
  7. I am assuming due to any reason primary unit [FTD] got itself not participating in HA.
  8. The logical device in Firewall chassis manager is online and FTD is showing operational.
  9. It means there is no issue in FTDs [ I don’t want to know at this moment why Primary unit is not participating in HA]

To Resolve the Issue, below are my POA

  1. Break HA in FMC [ I do not think there will be any outage]
  2. Delete FTD from FMC.
  3. Register FTD back to FMC.

My Queries and suggestion from forum

1.How do I add The FTD back to HA [ Note it is Primary unit to HA]

2.When I add in HA, how do I ensure the secondary unit [ which is now active ] with not take that configuration from Primary unit and whole configuration will not get erased,

 

Will appreciate if someone can help me to mitigate the risk ,I would be thankful if anyone shares me solution based on experience.

 

Thanks

Bibek

 

 

0 Helpful
3 Replies 3

Eric R. Jones
Level 4
Level 4

‎02-01-2021 01:39 PM

Here is our experience with something similar.

 

I broke our HA a few weeks ago to fix interface configurations. At that time both units FW1 and FW2 kept their configurations. We had to de-register the secondary from FMC since we wanted to keep the configuration that was already on the primary. We removed the HA link between the two and brought the primary back on line. Once that was stable we registered the secondary with FMC. We then reconnected the HA link between the two and started the HA configuration from scratch. Of course this wiped the secondary configuration and copied over the primary configuration. We don't have the Firewall chassis manager so I'm not sure how that plays into the mix.

It sounds like you don't want the configuration on the secondary to get wiped.

I'm not sure how that's going to work because from my reading it will always get wiped when introduced into HA.

I would suggest reading up on the "sync" function once you get both units re-registered with the FMC and the management interface issue fixed.

We too have had some odd issues with FMC/FTD HA working as expected/advertised. 

 

0 Helpful

bibek_deo
Level 1
Level 1
In response to Eric R. Jones

‎02-03-2021 08:22 AM

HI,

 

Thanks for sharing your experience, Actually the configuration swiped out from my Primary unit [ I don't know the reason] and everything is working on Secondary Unit

 

The failover-link , State link-link and Data ports are showing Status " admin down" on primary unit  where as 

 failover-link  port  and Statelink port are showing  Status " admin up in Secondary unit" So I have believe the configuration is wiped out 

 

My risk factor is that Secondary should not copy the configuration from Primary unit, So I am planning to perform the below POA

     

  • Remove cables from failover-link ,State link and Data ports of primary unit               [No service impact as  primary unit is already down]
  • I will have access to Primary unit through management IP which is also the IP used for tunnel between Primary FTD and FTD
  • Break HA in FMC [ I do not think there will be any outage as my Primary unit is already down]
  • Delete Primary FTD from FMC and wait to check stability
  • Register Primary FTD back to FMC.
  • Connect only cables on failover-link and State link ports.
  • Configure HA and observe both FTDs are online and do SYNC [Primary unit should copy the configuration from Secondary unit, still secondary unit will be active]
  • Now connect the data ports and observe everything is fine [Verify both FTDs are online and normal]
  • Configure some rules and deploy and observe everything is fine.
  • Switch over the traffic on Primary unit and observe.
  • Configure some rules and deploy and observe everything is fine.

 

Pls suggest if I am missing anything or  there would be change in POA

 

BR

Bibek

 

0 Helpful

Eric R. Jones
Level 4
Level 4
In response to bibek_deo

‎02-03-2021 12:40 PM

That sounds like a plan.

I probably would have gone with your steps, remove cabling, remove previous Primary from FMC and re-add then recreating the HA by making the secondary the primary. Provided the now secondary has the proper configs.

In either case won't the down primary have all the proper configs by default from the up secondary once you re-introduce HA?

I'm asking because your mention doing a sync.

Sorry if I'm missing something in your steps that provides this answer.

Please post your results as we have had some issues with how HA works when breaking it or restarting one the FTD's.

We had an issue where selective sites were not accessible.

The logs point to a PAT pool exhaustion episode.

 

ej

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card