Solved: FTD High Availablity with FMC

robinandjiang · ‎02-27-2018

Hi,

I have two ASA 5545 Firewalls with Firepower service, firewalls are configured as High Availability without problem.

now i am trying to setup two FTD as high availability on the FMC. both of them are registered on the FMC and in the same group. but when i tried to add them as High Availability, i got an error message "there are not enough devices to form a high availability pair ".

my question:

1, do i need extra licensing for the FTD HA, excepting the malware, url filtering , protecting contral licensing.

2, do i need to setup second failover link for two SFR modules? I've already had a failover link for firewall HA, can i share this link for FTD HA?

or there are something else i missing on the FMC ?

thanks for help.

argrullo · ‎02-27-2018

Hello robinandjiang,

The feature that you are talking about is not supported.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/modules-sfr.html#pgfId-1485679

Guidelines for ASA FirePOWER
Failover Guidelines
Does not support failover directly; when the ASA fails over, any existing ASA FirePOWER flows are transferred to the new ASA. The ASA FirePOWER module in the new ASA begins inspecting the traffic from that point forward; old inspection states are not transferred.

You are responsible for maintaining consistent policies on the ASA FirePOWER modules in the high-availability ASA pair (using FireSIGHT Management Center) to ensure consistent failover behavior.

ASA Clustering Guidelines
Does not support clustering directly, but you can use these modules in a cluster. You are responsible for maintaining consistent policies on the ASA FirePOWER modules in the cluster using FireSIGHT Management Center. Do not use different ASA-interface-based zone definitions for devices in the cluster.

You can have the ASA HA as they normally would, but the SFR Modules themselves, are not HA in the same sense that they would have a failover link. Once the ASA Failover, the other SFR Module will start inspecting traffic. But you will not be able to do an HA configuration on the FMC CLI for SFR Modules.

I hope this helps to explain it.

View solution in original post

argrullo · ‎02-27-2018

Hello Team,

>From what I can read I see you are trying to set up HA on two SFR Modules.

If this is the case, that configuration is not supported. You can do HA on the ASA's, but the SFR Modules are not able to form.

robinandjiang · ‎02-27-2018

yes, two SFR modules and both of them are registered on the FMC, one module is in production and working fine, i am trying setup a HA on them. i red some documents it should be ok to setup them as a HA.

argrullo · ‎02-27-2018

Hello robinandjiang,

The feature that you are talking about is not supported.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/modules-sfr.html#pgfId-1485679

Guidelines for ASA FirePOWER
Failover Guidelines
Does not support failover directly; when the ASA fails over, any existing ASA FirePOWER flows are transferred to the new ASA. The ASA FirePOWER module in the new ASA begins inspecting the traffic from that point forward; old inspection states are not transferred.

You are responsible for maintaining consistent policies on the ASA FirePOWER modules in the high-availability ASA pair (using FireSIGHT Management Center) to ensure consistent failover behavior.

ASA Clustering Guidelines
Does not support clustering directly, but you can use these modules in a cluster. You are responsible for maintaining consistent policies on the ASA FirePOWER modules in the cluster using FireSIGHT Management Center. Do not use different ASA-interface-based zone definitions for devices in the cluster.

You can have the ASA HA as they normally would, but the SFR Modules themselves, are not HA in the same sense that they would have a failover link. Once the ASA Failover, the other SFR Module will start inspecting traffic. But you will not be able to do an HA configuration on the FMC CLI for SFR Modules.

I hope this helps to explain it.