Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
803
Views
5
Helpful
3
Replies

Management Access to FDM of FTD 6.5 HA nodes running on ISA 3000

uhei
Level 1
Level 1

‎01-16-2020 12:46 AM - edited ‎02-21-2020 09:50 AM

Hello,

I'm trying to understand the different modes to access FDM of a FTD 6.5 failover cluster running on two ISA 3000 devices:

  • I can access the primary IP of any data-interface as long as I have enabled access on this interface and the packets for this connection reach the FTD on the specific data-interface
  • I can not access the primary IP of data-interface A when the connection comes in on data-interface B
  • I can connect to the management IP when I have a cable connected to the management port and the management interface is configured to use a dedicated gateway

Which is not working is:

  • Connect to a secondary IP (and thus to the standby node) of any data-interface even access to this data-interface is enabled
  • Connecting to the management IP when there is no cable connected to the management port but gateway is configured to use data-interfaces. This applies for both nodes (active and standby).

I need your help:
How can I connect to both nodes (e.g. for updates) without wiring the management port?

Any help is appreciated!

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-17-2020 01:30 AM - edited ‎01-17-2020 01:30 AM

When making any configuration changes on an FTD HA pair (including upgrades or patches) you need only log into the Active unit.

In the case of upgrades, I believe you need to log into the management interface on the secondary unit (thus it must be wired).

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/fdm/fptd-fdm-config-guide-650/fptd-fdm-ha.html#task_AE850BD023684725BBA13AEC03BFE1DF

uhei
Level 1
Level 1
In response to Marvin Rhoads

‎01-17-2020 05:49 AM

@Marvin Rhoads 

Thanks for your reply. What I don't understand yet is how this fits together with the documentation:

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/fdm/fptd-fdm-config-guide-650/fptd-fdm-interfaces.html#concept_EB3DE1BBDB9547EC8866365C7BC11792

Quote: "... One way to configure Management/Diagnostic is to not wire the physical port to a network. Instead, configure the Management IP address only, and configure it to use the data interfaces as the gateway for obtaining updates from the internet. ..."

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to uhei

‎01-17-2020 07:37 AM

You MIGHT be able to get it to work that way but it's more confusing since you will need to log into the primary IP address you've enabled for management (meaning on the active unit), perform the necessary tasks, change which unit is active, perform tasks on the other unit, etc.

In my experience it's easier to just have the management interfaces connected with unique always reachable addresses.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card