Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
723
Views
5
Helpful
3
Replies

Management Access to FDM of FTD 6.5 HA nodes running on ISA 3000

uhei
Beginner
Beginner

‎01-16-2020 12:46 AM - edited ‎02-21-2020 09:50 AM

Hello,

I'm trying to understand the different modes to access FDM of a FTD 6.5 failover cluster running on two ISA 3000 devices:

  • I can access the primary IP of any data-interface as long as I have enabled access on this interface and the packets for this connection reach the FTD on the specific data-interface
  • I can not access the primary IP of data-interface A when the connection comes in on data-interface B
  • I can connect to the management IP when I have a cable connected to the management port and the management interface is configured to use a dedicated gateway

Which is not working is:

  • Connect to a secondary IP (and thus to the standby node) of any data-interface even access to this data-interface is enabled
  • Connecting to the management IP when there is no cable connected to the management port but gateway is configured to use data-interfaces. This applies for both nodes (active and standby).

I need your help:
How can I connect to both nodes (e.g. for updates) without wiring the management port?

Any help is appreciated!

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

‎01-17-2020 01:30 AM - edited ‎01-17-2020 01:30 AM

When making any configuration changes on an FTD HA pair (including upgrades or patches) you need only log into the Active unit.

In the case of upgrades, I believe you need to log into the management interface on the secondary unit (thus it must be wired).

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/fdm/fptd-fdm-config-guide-650/fptd-fdm-ha.html#task_AE850BD023684725BBA13AEC03BFE1DF

uhei
Beginner
Beginner
In response to Marvin Rhoads

‎01-17-2020 05:49 AM

@Marvin Rhoads 

Thanks for your reply. What I don't understand yet is how this fits together with the documentation:

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/fdm/fptd-fdm-config-guide-650/fptd-fdm-interfaces.html#concept_EB3DE1BBDB9547EC8866365C7BC11792

Quote: "... One way to configure Management/Diagnostic is to not wire the physical port to a network. Instead, configure the Management IP address only, and configure it to use the data interfaces as the gateway for obtaining updates from the internet. ..."

0 Helpful

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend
In response to uhei