Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
157
Views
1
Helpful
3
Replies

Integrate FMC HA with ISE pxGrid

Go to solution
tiangeng-li
Level 1
Level 1

‎01-13-2025 10:00 PM

Hi,

I have one pair of FMC and on pair of FTD, currently FMC appliances in HA setup and we have successfully integrated with ISE pxGrid.

The question now is what will happen if the primary FMC fails, will FTD HA still receive the IP-to-SGT mapping from FMC, this is my doubt because the document says there is no auto failover for FMC HA, a manual promotion needed while the primary FMC fails. so, I'd like to know if the secondary FMC also sync and push down the IP-to-SGT mapping to FTD appliances in normal state.

Thanks

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andre.baumgarten
Level 1
Level 1

‎01-15-2025 01:48 AM

Hello,

i have this setup at my customer. And yes secondary FMC also update IP-to-SGT mappins on FTDs, as all FTDs have always 2 sftunnels open. One to primary and one to secondary FMC. So both FMCs are some kind of always active, you only enable the GUI to configure everything only on one FMC (like ISE).

View solution in original post

3 Replies 3

Go to solution
manabans
Cisco Employee
Cisco Employee

‎01-14-2025 04:47 AM

If the primary management center fails, the Secondary management center propagates to managed devices user-to-IP mappings from the TS Agent identity source; and propagates SGT mappings from the ISE/ISE-PIC identity source. Users not yet seen by identity sources are identified as Unknown.

After the downtime, the Unknown users are re identified and processed according to the rules in your identity policy.

Source: https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/720/management-center-admin-72/system-ha.html#id_21208 

0 Helpful

Go to solution
tiangeng-li
Level 1
Level 1
In response to manabans

‎01-14-2025 06:34 AM

thanks for your reply.

We only use IP-to-SGT mapping in our environment.

That means only primary FMC propagate IP-to-SGT mappings in normal state, when the primary FMC fails, secondary FMC will automatically take over the "role" of propagating IP-to-SGT mappings to managed devices. During this period, User-to-IP mappings will be identified as unknown, as for IP-to-SGT mapping, it will not be affected.

Please correct me if I am wrong.

Thank you

0 Helpful

Go to solution
andre.baumgarten
Level 1
Level 1

‎01-15-2025 01:48 AM

Hello,

i have this setup at my customer. And yes secondary FMC also update IP-to-SGT mappins on FTDs, as all FTDs have always 2 sftunnels open. One to primary and one to secondary FMC. So both FMCs are some kind of always active, you only enable the GUI to configure everything only on one FMC (like ISE).

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card