Solved: FTD Failover VIP and some basic Qs on FTD

Ramakrishnan V · ‎01-22-2024

Dear Folks,

After quite long time I am seeking some help from Cisco community I have few Qs on FTD & FMC

1. In Cisco, there is two types of HA[except Cluster] A/A and A/S in both cases there is no concept of VIP/floating IPs? Instead We suppose to configure IP address on each A and P device with an IP, that IP address get exchange during FO? Is that correct?

2. If we managing FTD from FMC, in the even of FMC failure how do we manage FTD, FTD will be accessible through SSH/FTDM? IN general If I remember correctly FTD will not allow SSH by default?

Regards,

Ram

Rob Ingram · ‎01-22-2024

@Ramakrishnan V correct, there is no VIP - each FTD has it's own IP address and the IP address is swapped on failover. So the primary IP address is still the same regardless of which FTD is active.

An FTD managed by the FMC is manageable via SSH, but you still need to deploy policies via FMC.

View solution in original post

Aref Alsouqi · ‎01-22-2024

Hi Ramakrishnan, as already mentioned by @Rob Ingram and @MHM Cisco World, there is no concept of floating IP address when you configure HA on the ASA/FTDs. The HA concept on the ASA/FTDs is different than what you would do with HSRP and I think Juniper devices.

With HA on the ASA/FTDs when the active device goes down, its interfaces IP addresses and their MAC addresses will be moved to the secondary device which will become the primary. From the network endpoints perspective nothing would change because the secondary device will now have the same IP addresses and same MAC addresses, so no ARP updates are required.

Regarding managing the FTD in case the FMC is down, that is a bit tricky. Because even if you can access the FTD via SSH, you won't be able to configure the FTD with anything but using the little set of commands available. For example, say you want to remove an access list entry, changing an IP, add a security rule, etc, many of those tasks won't be possible, and the only way to configure or interact with them would be through the FMC.

View solution in original post

Rob Ingram · ‎01-22-2024

@Ramakrishnan V correct, there is no VIP - each FTD has it's own IP address and the IP address is swapped on failover. So the primary IP address is still the same regardless of which FTD is active.

An FTD managed by the FMC is manageable via SSH, but you still need to deploy policies via FMC.

MHM Cisco World · ‎01-22-2024

https://rayka-co.com/lesson/cisco-ftd-high-availability/

we use management interface to register FTD to FMC
and there is no VIP, the host will use the active IP as GW.
MHM

Aref Alsouqi · ‎01-22-2024

Hi Ramakrishnan, as already mentioned by @Rob Ingram and @MHM Cisco World, there is no concept of floating IP address when you configure HA on the ASA/FTDs. The HA concept on the ASA/FTDs is different than what you would do with HSRP and I think Juniper devices.

With HA on the ASA/FTDs when the active device goes down, its interfaces IP addresses and their MAC addresses will be moved to the secondary device which will become the primary. From the network endpoints perspective nothing would change because the secondary device will now have the same IP addresses and same MAC addresses, so no ARP updates are required.

Regarding managing the FTD in case the FMC is down, that is a bit tricky. Because even if you can access the FTD via SSH, you won't be able to configure the FTD with anything but using the little set of commands available. For example, say you want to remove an access list entry, changing an IP, add a security rule, etc, many of those tasks won't be possible, and the only way to configure or interact with them would be through the FMC.

Ramakrishnan V · ‎01-22-2024

Thank you so very much @Aref Alsouqi @Rob Ingram @MHM Cisco World