cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1184
Views
2
Helpful
7
Replies

FMC HA on Azure supported or not? Version 7.2 in 2023

Carlos T
Level 1
Level 1

Hi,

Please can you confirm if FMC H.A is supported on Azure. I am running version 7.2

On one document is not mentioning Azure, and on the other it is mentioning Azure:

 

According to the 7.2 FMC Admin guide, H.A is only supported on Vmware, AWS and OCI, but not mentioned for Azure.

Cisco Secure Firewall Management Center Administration Guide, 7.2 - High Availability [Cisco Secure Firewall Management Center] - Cisco

 

Virtual Platform Requirements

Requirements for establishing high availability (HA) using two management center virtual virtual appliances:

  • Supported on management center virtual for VMware, AWS, and OCI.
  • Supported on management center virtual 10, 25, and 300. Not supported on management center virtual 2.
  • The high availability pair must have the same device management capacity. For example, you cannot pair the management center virtual 25 with the management center virtual 300.
  • To manage threat defense devices, you need two identically licensed management center virtual instances, as well as one threat defense entitlement for each managed device. If you are managing Version 7.0 and earlier Classic devices only, you do not need management center virtual entitlements. For more information, see License Requirements for Management Center High Availability Configurations.

 

 

On the FMC Getting Starting guide it is mentioned it is supported on Azure

Cisco Secure Firewall Management Center Virtual Getting Started Guide - Deploy the Management Center Virtual On the Microsoft Azure Cloud [Cisco Secure Firewall Management Center Virtual] - Cisco

 

High Availability support

  • Management Center Virtual High Availability (HA) is supported on the management center virtual models.
  • To establish the management center virtual HA, management center virtual requires an extra management center virtual license entitlement for each Secure Firewall Threat Defense (formerly Firepower Threat Defense) device that it manages in the HA configuration. However, the required threat defense feature license entitlement for each threat defense device has no change regardless of the management center virtual HA configuration. See License Requirements for threat defense devices in a High Availability Pair in the Secure Firewall Management Center Device Configuration Guide for guidelines about licensing.
  • If you break the management center virtual HA pair, the extra management center virtual license entitlement is released, and you need only one entitlement for each threat defense device. See High Availability in the Secure Firewall Management Center Device Configuration Guide for more information and guidelines about high availability.

 

 

Thanks,

CT

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

I was told by a Cisco product manager that the feature did not make the cutoff date for 7.2 in the Azure environment.

Some of the Cisco docs have not been updated to reflect this fact.

Thanks Marvin,

I see the latest release available to download is 7.3.1.

Maybe they can confirm if for 7.3.1 H.A for FMC is supported on Azure?

 

Thanks,

CT

Maybe they can confirm if on 7.3.1 is

 

 

A year later and still no HA for FMC in Azure???

Can anyone please confirm that this is still the case?

Thanks

B33b5
Level 1
Level 1

Thanks.

Running 7.4.2-172 and have HA configured and fully sync'd therefore fails over when I manually switch the peers.

In Azure if I stop/shutdown the VM/Primary FMC it doesn't fail over to Secondary FMC making this Active.

Instead the secondary FMC advises Primary FMC is down.

HA Sync Failed:
No connection between high availability Management Centers
Both Management Centers are configured to run in standalone mode.
 
The bottom line throws me when they aren't in this suggested 'standalone mode' when you HA them as otherwise it'll not be HA'd

Any ideas?

I have usually found FMC HA to be more trouble than it's worth. I believe having good off-device backups is a more useful and operationally sustainable approach.

In any case, when communications are re-established, the HA sync should pick back up.

If it doesn't, you can manually break and then re-established HA as needed following the steps in the admin guide:

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/740/management-center-admin-74/system-ha.html#ID-2242-0000044e

Review Cisco Networking for a $25 gift card