Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9157
Views
0
Helpful
3
Replies

FTD HA Packet-Tracer Output

mumbles202
Level 5
Level 5

‎10-13-2020 11:03 PM

Working on a pair of 2130s running 6.2.3.12 and setup in HA.  Having some issues with traffic passing from 1 interface to another even though the policies look correct.  At present the secondary unit is the Active unit in the pair.  If i go into advanced troubleshooting on the secondary (Active) unit and go through packet-tracer I get this result:

 

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Device_Management
output-status: up
output-line-status: up
Action: drop
Drop-reason: (fo-standby) Dropped by standby unit

 

However if I run through the same packet-tracer on the primary (now Standby unit) I get this:

 

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Device_Management
output-status: up
output-line-status: up
Action: allow

 

I'll have access to some equipment tomorrow to actually get a packet capture for review but was curious as to why I'm seeing the results I am in packet-tracer.  I saw a bug (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf72068/?rfs=iqvred) but that applies to different devices and these units aren't in transparent mode.

3 people had this problem
0 Helpful
3 Replies 3

Aref Alsouqi
VIP
VIP

‎10-14-2020 01:14 AM

Never came across this before, but it looks like a bug to me. Based on my experience, the FTD 6.2.3.x is not stable and has a bunch of bugs. I would raise a TAC if upgrading it is not an option.

0 Helpful

Marius Gunnerud
VIP
VIP

‎10-14-2020 02:06 AM - edited ‎10-14-2020 02:10 AM

Could you issue show failover on the standby (active) unit just to verify the failover status.  Also, Could you check the connected switch ARP table to verify that the standby FTD MAC address has been associated with the Active unit IP.

Also, you say that the bug you posted applies to different devices, which devices do you have installed?

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

mumbles202
Level 5
Level 5
In response to Marius Gunnerud

‎10-14-2020 06:10 AM

Thanks for the reply.  Going directly to the FTDs the Primary unit was in fact the Active and the FMC was wrong.  Forcing the re-sync corrected the status.  

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card