Solved: Re: FMC HA with RA VPN config

Konstantinos Gerakaris · ‎02-20-2023

Hello.

We plan to deploy an additional FMCv to achieve HA setup.

The existing FMCv manages a pair of FTDs with RA VPN configuration.

The official documentation states the below, which really confuses me.

About Remote Access VPN High Availability

If the primary device has Remote Access VPN configuration with an identity certificate enrolled using a CertEnrollment object, the secondary device must have an identity certificate enrolled using the same CertEnrollment object. The CertEnrollment object can have different values for the primary and secondary devices due to device-specific overriddes. The limitation is only to have the same CertEnrollment object enrolled on the two devices before the high availability formation.

Has anyone else created an FMC HA setup using RA VPN config and did you configure a CertEnrollment object on the Secondary FMC before the HA formation?

Thank you in advance!

Marvin Rhoads · ‎02-20-2023

Sorry for the confusion - my original reply even had the error anted it.

I believe the documentation is talking about the FTD HA members, not the FMC members. It is the managed FTD devices that have cert enrollments, not the FMCs (although the enrollments are pushed from the FMC to the managed devices). When you add a secondary FMC as HA with the primary, everything needed from the primary should cop y over automatically.

View solution in original post

Marvin Rhoads · ‎02-20-2023

I have created an FTD HA setup using RA VPN config. I usually just have the certificate created from an external CSR (openssl or such) and thus have the certificate and private key and issuing CA chain all bound into a nice pkcs12 file that can be used as a cert enrollment for both members of the HA pair.

Konstantinos Gerakaris · ‎02-20-2023

Hello Marvin.

Thank you for the prompt reply.

Your suggestion works well in case you have, as you also state, the CSR created in an external way.

In our case the CSR was created from within FMC, and the cert was enrolled directly to the FTD.

So, I can't figure out a way to enroll the cert on the Secondary FMC before the HA formation, since at that point that FMC will not have any devices registered!

In any case, in the way the documentation is written, I cannot understand what is the actual requirement for the Secondary FMC. If it requires the existence of the same CertEnrollment object, how can this be enrolled without registered devices?

Marvin Rhoads · ‎02-20-2023

Sorry for the confusion - my original reply even had the error anted it.

I believe the documentation is talking about the FTD HA members, not the FMC members. It is the managed FTD devices that have cert enrollments, not the FMCs (although the enrollments are pushed from the FMC to the managed devices). When you add a secondary FMC as HA with the primary, everything needed from the primary should cop y over automatically.

Konstantinos Gerakaris · ‎02-20-2023

I agree, it makes more sense for the doc to be talking about the FTD HA setup.

Yet again, this is referenced on the FMC HA chapter!

Pretty confusing in my opinion.

Thank you very much Marvin for your thoughts on this!