cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1407
Views
0
Helpful
4
Replies

FTD Failover Issue post Version Upgrade

NeWGuy1109
Level 1
Level 1

Hello,

 

I ran an upgrade on my FTDs which are in HA(Active/Standby) from 6.4.0 to 6.6.1 version via FMC.. the entire procedure was completed successfully however both the members became active/active once the upgrade finished and the traffic is now fluctuating between the two firewalls.. this is causing loss of service as these are supposed to work in Active/Standby Mode.. the failover link is up and reachable from both the Firewalls and manual demotion on any member is also not working..it is giving the message " peer link is not active and switch is not possible" 

 

Please help here.

 

Thanks

4 Replies 4

Hi @NeWGuy1109 

Are you able to push policy to both FTD's?

Please provide the output of "show failover"

balaji.bandi
Hall of Fame
Hall of Fame

There is something gone wrong, check the HA Link, Looks like in the network, they are not able to see each other that is the reason it becomes active/active - so check the HA/synch Link between FTD- is this appliance what model or VM?

 

For now to make it stable - shutdown ( Standby one originally configured)  one of them, and investigate the if any physical and failover history show you more information.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi,

It seems that the upgrade broke the failover config. If you are able to
ping the failover interface from each firewall then your failover config is
broken.

Next steps for easy service restoration:

1. On one of the units, shutdown all interfaces from the connected
switches except the MGMT interface and the failover interface (or easier
unplug the cables from the FTD if you have physical access).
2. Take device backup for the active unit (managed backup)
3. Delete both units from FMC (this won't cause any service interruption).
4. Schedule a downtime to wipe the active unit and restore the backup using
FMC (this will take around 30 mins to restore the config assuming that you
completed the image upgrade already).
5. Wipe the secondary unit and add it to FMC.
6. Create an HA to sync the config from active to standby unit


If you manage to restore the peer link, then it g8 otherwise this what you
need to do.

On a side note, 6.4.0.x is the worst image I used and I always recommend to
jump away from it before starting any config.

Here is the link for backup and restore.

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/backup_and_restore.html

***** please remember to rate useful posts

Had to involve TAC for it.. they are still looking into it.

However, it seems something went wrong during the upgrade itself which is unexplained at this point of time

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: