Solved: Re: FTDv-HA different setttings

s_SiD_s · ‎03-16-2026

Good day!
I have set up FTDv-HA and everything work like a charm.

One thing I have noticed. it is output of show network command on CLI of both FTDv
PRI\Active shows

> show network
===============[ System Information ]===============
Hostname : firepower

---
And Secondary\Standby

> show network

===============[ System Information ]===============
Hostname : FTDv
Domains : netcompz.org

different hostnames and...for the Standby...show Domains, but Primary does not show up...

all the rest output is OK.

how to change hostnames and Domains settings?

On GUI, see attached, names are OK.

Rob Ingram · ‎03-16-2026

@s_SiD_s from the CLI of each FTD use the "configure network" command to change the settings. https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/c_3.html#wp3524022327

View solution in original post

s_SiD_s · ‎03-17-2026

I have rebooted both FTDv and all seems to be OK.

test HA was as Pro server went to reload, monitoring intefaces not good as they are ALWAYS in UP state in dSwitch ESXi
one thing to sort out....how auto switch back to Primary FTDv...
i see everything is "green" on dashboard...

View solution in original post

Rob Ingram · ‎03-16-2026

@s_SiD_s from the CLI of each FTD use the "configure network" command to change the settings. https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/c_3.html#wp3524022327

s_SiD_s · ‎03-16-2026

Great! Thanks!
If you don't mind, I will ask more couple of quiestions)

1. does hostname will be resolved to ftdv1.netcompz.org
and ftdv2.netcompz.org

if we add A and reverse records ro internal DNS server? Or better take names form GUI?

or better to make same names in GUI and CLI?

2. Cannot find information about this string in show network comand. FTDv-Pri has it disabled and FTDv-Sec - enabled.

DNS from router           : disabled

Rob Ingram · ‎03-16-2026

@s_SiD_s if you add the approprirate entries in your DNS servers, then yes the hostname would be resolved. You just need a friendly/memorable name to resolve in DNS, whether thats the hostname in the CLI or GUI. The names don't necessarily need to be the same name in the CLI and GUI.

Is DNS statically configured on one FTD and not the other?

s_SiD_s · ‎03-16-2026

As I remember, both configured statically, as an ip addresses

configure network dns servers

i also notied that there is no static route on FTDv2
like on FTDv1. Interesting, what did I miss... during deploy

s_SiD_s · ‎03-16-2026

configure network static-routes ipv4 add management1 10.201.0.0 255.255.0.0 10.201.213.254

by this command I can add static route to FTDv2

as FTDv1
> ping cisco.com
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 72.163.4.185, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 150/154/160 ms
>

and FTDv2

> ping cisco.com
Please use 'CTRL+C' to cancel/abort...

ping cisco.com
^
ERROR: % Invalid Hostname
>

Rob Ingram · ‎03-16-2026

@s_SiD_s yes, you shouldn't need a static if you have the default route configured. That static route applies to the mgmt interface not data interfaces.

s_SiD_s · ‎03-16-2026

Yes, for mgmg if not accessable for some reason as I have read.
So. FTDv2 cannot resolve

> ping cisco.com
Please use 'CTRL+C' to cancel/abort...

 ping cisco.com
      ^
ERROR: % Invalid Hostname

but DNS is configured...

also no ping working

> ping 8.8.8.8
Please use 'CTRL+C' to cancel/abort...

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
>

I think this due to FTDv2 does not has IPs configured...no OUTSIDE, no INSIDE ip addresses.
I have read that it is not neccesary as after Pri dies, config migrates to second node, with same IP interfaces setting

Rob Ingram · ‎03-16-2026

@s_SiD_s use "ping system cisco.com" which will ping from the mgmt interface.

s_SiD_s · ‎03-16-2026

> ping system cisco.com
PING cisco.com (72.163.4.185) 56(84) bytes of data.
64 bytes from redirect-ns.cisco.com (72.163.4.185): icmp_seq=1 ttl=49 time=154 ms
64 bytes from redirect-ns.cisco.com (72.163.4.185): icmp_seq=2 ttl=49 time=153 ms
64 bytes from redirect-ns.cisco.com (72.163.4.185): icmp_seq=3 ttl=49 time=153 ms
^C
--- cisco.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 153.314/153.583/154.024/0.314 ms

good)

1 question\setting still remains....

DNS from router           : enabled

where this has been be configured... O_o

s_SiD_s · ‎03-17-2026

I have tested HA by disconnecting OUTSIDE interface on ESXI vm properties.
Failover failed...we forgot to add FTDV2 inside interface to allowed vlan on cisco switch...
but now no errors I see before test HA again and found errors.

So before testing HA need to resolve this issue.

ip addresess PING-able
NAT is working. no health issues.

may be reboot both FTDv? in which order if so?

s_SiD_s · ‎03-17-2026

logs on Graylog...
all interfaces UP and connected.
Checked everywhere.

s_SiD_s · ‎03-17-2026

I have rebooted both FTDv and all seems to be OK.

test HA was as Pro server went to reload, monitoring intefaces not good as they are ALWAYS in UP state in dSwitch ESXi
one thing to sort out....how auto switch back to Primary FTDv...
i see everything is "green" on dashboard...