Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4206
Views
15
Helpful
8
Replies

HA or clustering Firepower 4115

Go to solution
DavideRanalli76560
Level 1
Level 1

‎09-19-2021 02:33 AM

Hello,

 

after deploying a couple of firepower of 4100 family, we configured the FXOS in cluster, apparently there is not differentiation on between cluster and HA (unless I missed something). So far so good, the problems comes when from FMC I want to create an HA pair using 2 FTDs 6.6.4, as opposed to cisco documentation which goes on about HA tabs, apparently there is only clustering FTDs infact there is not even a way to switch roles from GUI as per Cisco documentation.

My question is: is clustering the equivalent of HA on firepower 4115 and its FTDs?

Cisco also says that backup/restore from FMC of managed devices on cluster is not supported, it's only supported for HA.

 

Thanks

 

Davide

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to DavideRanalli76560

‎09-19-2021 09:35 PM - edited ‎09-19-2021 09:37 PM

Clustering and HA are mutually exclusive. You would need to delete the cluster at the FXOS level. Then create two separate FTD logical devices (not clustered). Register them both to FMC. Then create the HA pair in FMC. You will need a data interface connected between the two members for use as a failover interface.

View solution in original post

8 Replies 8

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-19-2021 05:16 AM

You build a cluster of logical devices in FXOS / FCM.

If you want an HA pair, that is done from withing FMC (or FDM if managing locally).

Clustering and HA are not equivalent. Clusters can include multiple devices (up to 16) with all devices active vs. HA which is Active/Standby between two devices.

Clusters have some feature limitations (no remote access VPN for example) but are generally well-suited for situations where very high throughput is required. We typically use clusters with 4 or more devices since the throughput advantage is very small with a 2-device cluster (only about 20% more than a single device).

HA only gives the throughput of a single device but doesn't have the feature limitation nor complexity of a cluster.

Go to solution
DavideRanalli76560
Level 1
Level 1
In response to Marvin Rhoads

‎09-19-2021 09:57 AM

Thanks for the informative answer Marvin, in that case I assume HA and cluster is differentiated also at the chassis level (FXOS).

The two firepower 4115 are directly connected using portchannel 48 with a single physical interface assigned to it, the interface connecting the two chassis have been configured as cluster only.

When it comes to join the two FTDs to FMC, the importation of one FTD automatically drags the other FTD and form the cluster, but I actually wanted an HA pair.

There seems to be no way to form the HA from FMC, in that case I wonder if I did something wrong maybe at the chassis level? 

 

Thanks 

Davide

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to DavideRanalli76560

‎09-19-2021 09:35 PM - edited ‎09-19-2021 09:37 PM

Clustering and HA are mutually exclusive. You would need to delete the cluster at the FXOS level. Then create two separate FTD logical devices (not clustered). Register them both to FMC. Then create the HA pair in FMC. You will need a data interface connected between the two members for use as a failover interface.

Go to solution
DavideRanalli76560
Level 1
Level 1
In response to Marvin Rhoads

‎09-19-2021 10:50 PM

Thanks a million Marvin

 

0 Helpful

Go to solution
Ciscouserz
Level 1
Level 1
In response to Marvin Rhoads

‎06-05-2023 03:29 AM

We typically use clusters with 4 or more devices since the throughput advantage is very small with a 2-device cluster (only about 20% more than a single device).

You only see 20% ? If you exclude loadbalancing issues, whats the reason to 20% that you are seeing ?

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Ciscouserz

‎06-07-2023 08:35 AM - edited ‎06-07-2023 08:36 AM

@Ciscouserz 20% is the expected gain on concurrent sessions supported. I was remembering that number. Throughput results for a 2-node cluster should vary between 40-60% over a single node.

Reference BRKSEC-3032 Cisco Live session by the author of ASA and FTD clustering, Andrew Ossipov. 2 x 60% = 120%. 2 x 70% = 140% etc.

cluster scale.png

 

0 Helpful

Go to solution
Chakshu Piplani
Cisco Employee
Cisco Employee

‎09-19-2021 10:42 PM

You can switch Master role in a cluster by going to Devices-->Click on 3 dots on the right to the cluster--> Cluster Live Status

 

Click again to the unit you want to make as Master and select "Change Role To Control"

image.png

Regards,

Chakshu

 

Do rate helpful posts!

Go to solution
DavideRanalli76560
Level 1
Level 1
In response to Chakshu Piplani

‎09-19-2021 10:51 PM

Thanks a million Piplani 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card