Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
403
Views
1
Helpful
5
Replies

FTD H/A split brain issues

Go to solution
Chess Norris
Level 4
Level 4

‎05-22-2025 12:34 AM

Hello,

A customer has around 20 H/A pairs of FTD 1010's that are managed by a cdFMC.  Recently I saw some alerts in the FMC saying "High availability is in split brain"

When I Iogin to the FTD's and do a "show failover state", both FTD's says communication errors and they are both active. However, the failover interface is up on both firewalls and there is no switch between. It's only a cable directly connected on interface 1/8 between the two FTD's.

Could it still be a cable issue even though both the status and the protocol is up when checking with "show interface IP brief" or could it be something else?

When trying to do a deploy, I get the following error when deploying "Deployment is not possible for this HA pair as both units are active. Correct the failover link else try force breaking the HA pair."

 

Thanks

/Chess

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Chess Norris
Level 4
Level 4

‎05-23-2025 06:58 AM

TAC belive we are hitting the following defect https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh17965 

The workaround was to delete and re-create the port-channel, but that's need to be done in FXOS. Normally we can only do configuration changes in FXOS on the bigger chassi firewalls (4100/9300) Smaller firewalls let us access FXOS, but we cannot do any changes to the configuration. However, TAC had a backdoor making it possible to commit changes in FXOS. 

/Chess

View solution in original post

5 Replies 5

Go to solution
ahollifield
VIP
VIP

‎05-22-2025 05:13 AM

It could be, can you ping across that link? Some other configuration issue? What version?

0 Helpful

Go to solution
Chess Norris
Level 4
Level 4
In response to ahollifield

‎05-23-2025 01:02 AM

I discovered something really strange on the primary FTD. We are using physical Ethernet1/1 and 1/2 as a port-channel. When doing a "show ip int brief", It says the port-channel is up but the physical interfaces are both down and unassociated. Never seen this before. How can the port-channel be upp if the physical interfaces are down?

firepower# show int ip brie
Interface IP-Address OK? Method Status Protocol
Internal-Data0/0 unassigned YES unset up up
Port-channel1 unassigned YES unset up up

Ethernet1/1 unassigned unassociated unset admin down down
Ethernet1/2 unassigned unassociated unset admin down down

/Chess

 

 

0 Helpful

Go to solution
Tshepo
Level 1
Level 1
In response to Chess Norris

‎05-23-2025 02:06 AM

Hi, did you end up resolving this ?

If so, how ?

0 Helpful

Go to solution
Chess Norris
Level 4
Level 4

‎05-23-2025 06:58 AM

TAC belive we are hitting the following defect https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh17965 

The workaround was to delete and re-create the port-channel, but that's need to be done in FXOS. Normally we can only do configuration changes in FXOS on the bigger chassi firewalls (4100/9300) Smaller firewalls let us access FXOS, but we cannot do any changes to the configuration. However, TAC had a backdoor making it possible to commit changes in FXOS. 

/Chess

Go to solution
Network Diver
Level 3
Level 3

‎05-25-2025 09:46 PM

Frightning ... LACP port-channeling must be a pretty new and experimental technology!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card