cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
844
Views
0
Helpful
9
Replies

FMCV-HA configuration issue

adity
Level 1
Level 1

Hi Members,

 We have 2 infra running in my network,active one is running on Nautanix and standby on VMware.

 Now we have one FMCV installed in the Nautanix, currently manage the FW via Nautanix FMC, we have installed the same version FMCV in the VMware and when we try to configure the FMCV HA then I am getting the error( attached).

ISSUE:

# When my active infra got crashed we don't have ability to access the firewall..........................................

 

I am requesting you to kindly help me .

9 Replies 9

Marvin Rhoads
Hall of Fame
Hall of Fame

Cisco considers FMC on different hypervisors as different "models". The peers in an HA pair must be the same model.

adity
Level 1
Level 1

Marvin same model as in???

the hypervisors are different because of this I am getting the issue, could you please help me with some alternative solutions because when anything happen on my Primary servers we are not able to access the FMC.

correct me if my understanding is incorrect.

"Same model" for FMC on a VM means the same Hypervisor. It is not supported to have FMCv on VMware be an HA peer with FMCv on Nutanix.

My experience in production across > 100 deployments is that FMC is very rarely unavailable unless the underlying virtualization infrastructure in unavailable. So have good backup stored remotely to recover quickly in the event that it does happen.

Also, FMC HA introduces more complexity and increases the chance of encountering operational problems itself for the few customers I have seen using it.

Marvin,

 Please suggest how we can access the firewall when failover happen on the infra, because my active and standby platform is different.

Please suggest the best practice of cisco because when any failover happen during that time our team is totally clueless what needs to check or how to access the FW logs etc.

If you want active-standby FMCv in an HA setup then you need to build to FMCv both on the same type of hypervisor.

If you want to check the firewalls themselves in the event of an HA firewall failover to find out why failover happened, that can be done via the FTD cli with the command "show failover history".

adity
Level 1
Level 1

But let's support during that time i need to do some configuration on the firewall then what I need to do

If you only have one FMC and it is unavailable, then you cannot make changes in the managed firewalls during that time.

adity
Level 1
Level 1

This is very big loophole, because I have multiple customers which have like our environment.

 

If you setup FMC HA as specified in the configuration guide, it works fine to provide high availability. Otherwise, recover from whatever error is causing the only FMC to offline in order to regain configuration ability.

You can also opt for cloud-delivered FMC (cdFMC) which is Cisco's SaaS offering for FMC. In that case, Cisco manages all of the infrastructure required to provide uninterrupted service.

Review Cisco Networking for a $25 gift card