Solved: FTD 2100 HA Pair

benolyndav · ‎03-03-2021

Hi

We have a Pair of FTD 2100 in HA I have been tasked with breaking this HA pair as we are reverting to single device, i cant seem to find any decent documentation on this can anyone point me to this and also provide instructions on breaking the pair succesfully and then bring the single device online again.?

P.s i will be using FMC for this

Thanks

Rob Ingram · ‎03-03-2021

@benolyndav

You seem to be confusing step 5 under "Task 6 - Disable HA" with "Task 5 Break the HA pair".

Task 5 makes no mention of requiring to run that command you provided. Just run the steps in the task 5 section to break the HA.

View solution in original post

Rob Ingram · ‎03-03-2021

Hi @benolyndav

Have you seen this cisco guide:-

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html#anc5

It has a section covering breaking the HA configuration, once the HA configuration is broken the secondary device has the configuration removed and you can re-deploy.

HTH

benolyndav · ‎03-03-2021

Hi Rob
So am I correct here
To remove HA pair for the 2100's

1. delete high availability
2. on both devices run configure high-availability disable
3. ?? not sure what the next step is ??

Thanks

Rob Ingram · ‎03-03-2021

Follow Task 5. Break the HA Pair in that guide. Which will break the HA and erase the configuration on the Standby node except the ACP. The configuration will be retained on the Primary node.

benolyndav · ‎03-03-2021

Hi

Still a bit confused here (apologies). are you saying that only step 5 is needed to completely delete HA pair, then do i just redeploy policies from FMC to primary unit ? no reboot required ??

Step 5. Run this command to remove the failover configuration from the FTD devices:

> configure high-availability disable
High-availability will be disabled. Do you really want to continue?
Please enter 'YES' or 'NO': yes
Successfully disabled high-availability.

Rob Ingram · ‎03-03-2021

@benolyndav

You seem to be confusing step 5 under "Task 6 - Disable HA" with "Task 5 Break the HA pair".

Task 5 makes no mention of requiring to run that command you provided. Just run the steps in the task 5 section to break the HA.

Sheraz.Salim · ‎03-03-2021

Thats correct no reboot required. and redeploy the policy.

please do not forget to rate.

benolyndav · ‎03-03-2021

Hi sheraz

I was confusing the two tasks

Thankyou

Sheraz.Salim · ‎03-03-2021

From FMC you can break the HA pair

As a best practice you can remove all data cables (except management and HA cables) from the secondary device.

When you break HA, the configured interfaces on the standby device are automatically disabled.

please do not forget to rate.

benolyndav · ‎03-03-2021

Hi Sheraz

I'm wanting to completely remove HA and just have one device??

Thanks

Sheraz.Salim · ‎03-03-2021

@benolyndav as mentioned by @Rob Ingram once you break the HA you have one device only. follow the Task5

Task 5. Break the HA Pair

please do not forget to rate.

Eric R. Jones · ‎03-03-2021

Here is a screenshot of where you break HA on the FMC using "light" view of
the FMC UI.

Eric R. Jones · ‎03-03-2021

Ha, pic's don't appear if attached to an email I guess.

No problem everyone answered before me.