Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1593
Views
0
Helpful
5
Replies

FMC high availability

Vishnu_RR
Level 1
Level 1

‎01-30-2021 05:33 AM

Dear team,

Its new setup. There are 2 FMC such as fmc1 and fmc2 but not in HA.

 2 perimeter firewall (p1 and p2) and 2 internal firewalls(i1 and i2) added in the fmc1. 

fmc1, p1, i1 running from last few months where fmc2, p2, i2 were powered off.

 

Recently fmc2, p2 , i2 powered on. Now i have to setup HA between fmc1 and fmc2. both fmc1 and fmc2 running 6.4.0.9 software version and same snort update version.

 

what are the precautions do i need to take.

 

0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-30-2021 06:14 AM

What model is your FMC? Until recently (i.e., 6.7), only hardware models (not VMs) could be used to create HA.

In any case, I would first move to the latest recommended release (6.6.1) for the FMC at least.

After that, you can then create FMC HA by following this guide:

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/firepower_management_center_high_availability.html

0 Helpful

Vishnu_RR
Level 1
Level 1
In response to Marvin Rhoads

‎01-31-2021 08:53 PM

Hi Marvin,

we are using the hardware model 2600 FMC. both FMC currently running with 6.4.0.9 software version and FTD also running with same software versions.

shall I upgrade from 6.4.0.9 to 6.6.1 directly ?

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Vishnu_RR

‎01-31-2021 10:57 PM

Yes - 6.6.1 is the first Firepower release to allow direct upgrade to the minor release version from a previous major release train.

0 Helpful

lm20ele
Level 1
Level 1

‎10-28-2021 09:41 AM

Configuration steps seem simple, did you encounter any issue?

 

Reading at the Configuration guide to build the HA pair I am reading a note under "Using CLI ro Resolve Device Registration in Firepower Management Center High Availability" where it says:

 

If you do an RMA of Secondary Firepower Management Center or add a Secondary Firepower Management Center, the managed FTDs are unregistered and as a result, their configuration may be deleted.

 

I got a little confuse here since that is what I am doing. Adding a Secondaru Firepower Management Center. why would it says the configuration of FTD will be deleted?

0 Helpful

Vishnu_RR
Level 1
Level 1

‎10-30-2021 03:14 AM

Hi,

No issues in FMC HA. There is no option to configure a dedicated interface for FMC HA. so we have to use the same interface where we use it to register FTDs to FMC.

 

we can use a Fiber port that supports 10G.

 

suppose if the secondary FMC got replaced, then whatever configuration is in that secondary FMC will be deleted. but you can see the configuration in Primary FMC.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card