Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2041
Views
5
Helpful
3
Replies

Help disabling FTD HA Encryption

Go to solution
Jordan-s
Level 1
Level 1

‎01-04-2022 02:21 PM

Hi all,

I moved to a new job couple months ago, and they are using CISCO FTD's. I am a PaloAlto guy and still learning about FTDs, and to be honest I am not a big fan of FTDs as they are not flexible and stable as Palos. Anyways, whoever built those FTDs they configured IPsec encryption on the HA link, and of course there is a bug causing FWs to get out of Sync due to the encryption on the HA link and the only way to fix the issue is to remove the encryption. I am using FMC to mange those FTDs. From reading about FTD HA configuration, seems the only way to disable the encryption is by deleting the HA group from FMC GUI and create a new one with encryption disabled. Not sure if that's the case, but would love to hear from FMC/FTD experts on how to solve this issue with minimum impact? is there a CLI command where I can execute from FMC and be done with it(I hope there is)

 

 

Capture.PNG

 

 

Thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-04-2022 11:35 PM

As you've surmised, "the only way to disable the encryption is by deleting the HA group from FMC GUI and create a new one with encryption disabled".

There's no cli-based method and it will be a disruptive change. That said, it is otherwise relatively straightforward

View solution in original post

3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-04-2022 11:35 PM

As you've surmised, "the only way to disable the encryption is by deleting the HA group from FMC GUI and create a new one with encryption disabled".

There's no cli-based method and it will be a disruptive change. That said, it is otherwise relatively straightforward

Go to solution
Jordan-s
Level 1
Level 1
In response to Marvin Rhoads

‎01-05-2022 05:53 AM

Thanks for confirming Marvin. I really wish if CISCO adds CLI as an a configuration option to the FTDs, where we can show run, copy the script, modify it and update the configs without the need to touch GUI. Especially if the change involves big FW modifications.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Jordan-s

‎01-05-2022 06:00 AM

For that, "api is the new cli".

But good luck as a newbie with the API. You will find some good examples online but API capabilities are not yet equal what you can do from FMC (by a long shot).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card