Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
276
Views
0
Helpful
4
Replies

FTDv on ESXi with Failover Issues using SR-IOV

brandon5203
Level 1
Level 1

‎07-04-2025 09:32 AM

I have a use case where I need to deploy FTDv (FTDv100) in a HA pair utilizing two physical servers with the ESXi (7.0.3 - Dell Version) hypervisor, one FTDv 7.4 instance on each. Following the Cisco deployment guide, I am attempting to leverage SR-IOV to get maximum performance. I encounter an issue once I configure/enable High Availability, the syncing process never appears to complete. I think the underlying issue is communication over the failover link as I am getting significantly high packet loss, only after HA is enabled. Prior to enabling HA, I can place the two interfaces within the same subnet, using the same IP assignments used in HA, and 100% ICMP success between the two. Once HA is configured, average about 50% ICMP success. Any thoughts?

ESXi hardware is Dell R660s with Broadcom BCM57504 and BCM57414 NICs. Also utilizing Dell SFPs. I have numerous pairs of this same hardware and have consistent/repeatable results. Should also be noted that the single FTDv instance is the only VM deployed on each hypervisor. FTD is managed via FDM. vCenter not used to manage ESXi.

I initially attempted to deploy without SR-IOV and the problem encountered was that when the physical link/vnic for data interfaces went down, the FTDv vmnic stayed up and would not properly trigger a failover. This appears to be VMware limitation?

0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎07-04-2025 04:07 PM

I used Long back for one of the Lab i never come across the issue mentioned it worked as expected.

i followed below guide :

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdv_gsg/ftdv-gsg/m-ftdv-vmware-gsg.html#id_107252

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

brandon5203
Level 1
Level 1
In response to balaji.bandi

‎07-04-2025 05:42 PM

BB,

Thank you for the response. 

SR-IOV works great, allows the VMs interfaces to react to the physical state of the NIC. The problem I am experiencing occurs only after configuring HA. 

If you don't mind me asking, in your referenced lab setup, did you utilize HA on two FTDv within the same logical hypervisor, or were you able to get it working across two physical servers? I do understand that my use case may not be common as it is not how one would typically utilize virtualization. I would suppose that instead of purchasing two FTDv licenses, one would utilize vMotion and two physical chassis to achieve redundancy. Again, thank you for your response.

Brandon

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to brandon5203

‎07-04-2025 10:50 PM

They are 2 Esxi i was running esxi 8.0 with dSwitch using vsphere for more option you get.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

brandon5203
Level 1
Level 1

‎07-07-2025 05:50 PM

I tested everything on ESXi 7.0.3 and 8.0.3. Also tried all releases through 7.4 and 7.7, made no difference as HA still doesn't work properly. Attempted to use vCenter with ESXi 8 but I couldn't figure out how to assign the specific PCI interfaces for SR-IOV.

Currently have a TAC case open and will share if anything meaningful comes from it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card