04-04-2024 06:58 AM
Hi Members,
We have 2 infra running in my network,active one is running on Nautanix and standby on VMware.
Now we have one FMCV installed in the Nautanix, currently manage the FW via Nautanix FMC, we have installed the same version FMCV in the VMware and when we try to configure the FMCV HA then I am getting the error( attached).
ISSUE:
# When my active infra got crashed we don't have ability to access the firewall..........................................
I am requesting you to kindly help me .
04-04-2024 08:49 AM
Cisco considers FMC on different hypervisors as different "models". The peers in an HA pair must be the same model.
04-04-2024 10:56 PM
Marvin same model as in???
the hypervisors are different because of this I am getting the issue, could you please help me with some alternative solutions because when anything happen on my Primary servers we are not able to access the FMC.
correct me if my understanding is incorrect.
04-05-2024 06:08 AM
"Same model" for FMC on a VM means the same Hypervisor. It is not supported to have FMCv on VMware be an HA peer with FMCv on Nutanix.
My experience in production across > 100 deployments is that FMC is very rarely unavailable unless the underlying virtualization infrastructure in unavailable. So have good backup stored remotely to recover quickly in the event that it does happen.
Also, FMC HA introduces more complexity and increases the chance of encountering operational problems itself for the few customers I have seen using it.
04-08-2024 06:38 AM
Marvin,
Please suggest how we can access the firewall when failover happen on the infra, because my active and standby platform is different.
Please suggest the best practice of cisco because when any failover happen during that time our team is totally clueless what needs to check or how to access the FW logs etc.
04-08-2024 09:14 AM
If you want active-standby FMCv in an HA setup then you need to build to FMCv both on the same type of hypervisor.
If you want to check the firewalls themselves in the event of an HA firewall failover to find out why failover happened, that can be done via the FTD cli with the command "show failover history".
04-09-2024 02:18 AM
But let's support during that time i need to do some configuration on the firewall then what I need to do
04-09-2024 05:02 AM
If you only have one FMC and it is unavailable, then you cannot make changes in the managed firewalls during that time.
04-15-2024 05:14 AM
This is very big loophole, because I have multiple customers which have like our environment.
04-15-2024 05:22 AM
If you setup FMC HA as specified in the configuration guide, it works fine to provide high availability. Otherwise, recover from whatever error is causing the only FMC to offline in order to regain configuration ability.
You can also opt for cloud-delivered FMC (cdFMC) which is Cisco's SaaS offering for FMC. In that case, Cisco manages all of the infrastructure required to provide uninterrupted service.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide