Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5490
Views
9
Helpful
9
Replies

Interfaces on Secondary Firewall "Not receiving packets"

adamgerber
Level 1
Level 1

‎04-12-2023 03:59 AM

Hi

I have x2 4115's in Active Passive HA.

On my FMC, I'm getting critical health alerts for the secondary/passive firewall "not receiving any packets" on some of its subinterfaces. Is this normal or a bug? Or an issue with my health monitoring policy? I would like to eliminate these alerts. I have another HA pair of 1140's on the same FMC and don't get this issue. Weird how it's only complaining about a few random subinterfaces?

Any help would be appreciated.

KR,
Adam

3 people had this problem
0 Helpful
9 Replies 9

adamgerber
Level 1
Level 1
In response to MHM Cisco World

‎04-12-2023 05:32 AM

Hi - that thread is regarding ASA's with separate SFR modules. I am dealing with x2 FTD's in an HA pair. I dont want to disable interface monitoring for the HA Pair.

0 Helpful

MHM Cisco World
VIP
VIP
In response to adamgerber

‎04-12-2023 05:36 AM

Yes friend I know the FW platform is different but in end the FMC is same.
this behave I think is similar. 

0 Helpful

adamgerber
Level 1
Level 1
In response to MHM Cisco World

‎04-12-2023 05:40 AM

I expected different behavior since the FMC is aware of the a/p HA and again why is it only complaining about 4 out of 9 sub-interfaces. Might be a bug then?

0 Helpful

MHM Cisco World
VIP
VIP
In response to adamgerber

‎04-12-2023 05:42 AM

4 of 9 subinterface <<- are all are config as HA monitor ? if all then  think contact TAC it can be bug and there is solution or workaround for it.

0 Helpful

adamgerber
Level 1
Level 1
In response to MHM Cisco World

‎04-25-2023 05:23 AM

Hi - Yes they are enabled with failover monitoring.

0 Helpful

Rob Ingram
VIP
VIP

‎04-12-2023 05:53 AM - edited ‎04-12-2023 05:54 AM

@adamgerber 

Symptom: Critical health alerts for Interface Status stating that interfaces are not receiving any packets are seen on the FMC for the standby FTD, which is not supposed to be processing traffic, so this is a normal and expected behavior.

Conditions: FTD deployed in High Availability.

Workaround: Blacklist the health alerts for Interface Status.

https://bst.cisco.com/bugsearch/bug/CSCvk05446
https://bst.cisco.com/bugsearch/bug/CSCvb36840

 

 

 

adamgerber
Level 1
Level 1

‎09-30-2024 01:46 PM

Hi all. Fixed by adding standby IP addresses to interfaces.

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to adamgerber

‎10-01-2024 08:06 AM

Enabling interface monitoring for failover with the inclusion of standby addresses is the best solution.

When that's not possible (e.g., HA pair sharing a /30 WAN address), newer versions of FMC will allow you to blacklist just one member of the HA pair for only some interfaces while continuing to monitor the interface on the Primary (and normally active) member..

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card