Re: FTD HA Packet tracer different result for primary and secondary

Wonxie · ‎11-16-2023

Hi,

I have two FTD's in HA managed by FMC. When i run a trace using same criteria on both the FTDS from FMC ui, i get differnt results on the primary active and secondary standby. sample traces are given below.

Is it normal that only the primary active (or Active) pair will show the allow result and the Secondary being standby always drop ?

this is output from primary active

and this is from secondary standby

Regards,

MHM Cisco World · ‎11-16-2023

check other traffic like ICMP not TCP
TCP the active is build TCP conn and sync to standby I think that why you see different

tvotna · ‎11-17-2023

Yes, this is correct behavior for all traffic types.

Marius Gunnerud · ‎11-17-2023

The standby unit will always show the packet as dropped as it is not supposed to forward traffic. Also, we do not see an output interface in the packet-tracer which leads me to believe that you do not have the standby IP configured, but this will not affect the result of the packet-tracer.

Here is the result of one of my active/standby units (which has standby IP configured) for reference:

packet-tracer input LAN tcp 10.10.10.10 12345 8.8.8.8 443
Result:
input-interface: LAN(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 30004 ns
Drop-reason: (fo-standby) Dropped by standby unit, Drop-location: frame 0x000055f8794d0dfc flow (NA)/NA

And this is the output from the Active device

packet-tracer input LAN tcp 10.10.10.10 12345 8.8.8.8 443
Result:
input-interface: LAN(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: allow
Time Taken: 294143 ns

--
Please remember to select a correct answer and rate helpful posts