Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1761
Views
5
Helpful
15
Replies

FTD HA Pair Using Several Thousand MAC Addresses

Mike Wagner
Level 1
Level 1

‎05-28-2022 12:54 PM

Hi Everyone,

 

Posting here in a last ditch effort.  Any help is greatly appreciated.  Cisco TAC, despite the hefty fee we pay, is very unresponsive.

 

We have two Firepower 4110 units in an HA Active/Standby cluster.  The "outside" interfaces of these two FTD boxes are connected to a 2960-X switch stack on an L2 VLAN, as are our two edge ASR 1002-X router "inside" interfaces.  This is due to not having enough 10Gb ports on the ASR's to connect both FTD's to each ASR.  The ASR's are in HSRP mode and iBGP is configured for our backup connection to kick in whenever the main goes down.  The scenario is fully redundant, and has worked for over 6 months.  

 

Recently the outside interface of the FTD HA pair has become unresponsive randomly.  The only way I could make the FTD pair outside interface to become responsive is by rebooting the 2960-X switch stack, or flipping the active/standby units on the HA pair.  Since it's Saturday and there aren't many people in, I was able to delve into this much further since it happened again this morning...

 

What I found is that the 2960-X stack is showing over 8k MAC addresses on the port that the active FTD unit is plugged into.  It should only be one (that of the active outside interface on the HA pair), as it's an L3 interface on the FTD side.  

 

Like I said, this issue comes and goes, so I rebooted the switch stack, and we're back down to the normal amount of MAC addresses.

 

This is a wild theory, but I never did setup active/standby MACs on the HA Pair when I created it.  Everything I read indicates this should not be a problem.  However, I decided to go ahead and set them up now as a last ditch effort.  As soon as I created them and hit deploy, the deployment hung up at 20% for a very long time.  I then used OmniQuery to remove the deploy.  I rebooted the FTD's and FMC.  Unfortunately, even though OmniQuery shows no more status 7 tasks, the task is still showing in FMC as In Progress... (%)  - No Number for the percent!

 

Any ideas are greatly appreciated!  I'm at my wits end.!

 

Thanks!

15 Replies 15

Sheraz.Salim
VIP
VIP
In response to Mike Wagner

‎05-30-2022 11:33 AM

The best course of action would be work with Cisco TAC as you already mentioned you opened case with Cisco. If you not happy with your TAC Engineer you can always request for change of Engineer or even you could request a Senior TAC Engineer. Once you make this request Cisco TAC can not deny you to put you though to senior Netowrk Engineer.

 

as we do not have much information on few bits of detial. personally, I would recommand to work with TAC and get this sorted the issue.

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card