Solved: Did you see the section on

vaibhav mehta · ‎03-16-2017

Hello All

I am damn new to firepower 4100 devices.

I am little bit confused in one of my deployments where i need to use two 4100 boxes to create ASA active standby configuration.

Here are the pointers where i need your expert comments

1. how i should begin the configuration of firepower ? what i mean is the cross connects between the firepower 4100 for data/control connection.

where ever i have checked the documentation it says that it has to be done via switch .

So can we set them up as chassis cluster only or they can be also deployed as active/standby?

2. How i should deploy the ASA active standby pair inside , i got a fairly good idea on how i can create the ASA security app and have the interfaces binded to it but i am not clear about a standard design that should follow to optimize the usage of ports . i have 8x10G onboard module.

But here also i am confused about control /data link .

3. how i can separate the management of both chassis and ASA instance.

I am open to all the comments .

Marvin Rhoads · ‎03-17-2017

vaibhav_mehta ,

Yes - that's correct.

You must also assign the physical interfaces to the ASA logical device via the FirePOWER Chassis Manager.

View solution in original post

Marvin Rhoads · ‎03-17-2017

Even though you are going to have the two ASA logical devices in an Active/Standby HA pair, the FirePOWER 4100 chassis' in which they reside or completely logically separated. The chassis, or more accurately the FX-OS and FCM running on the chassis, have no awareness of each other.

You manage each chassis via the chassis management interface. You deploy the ASA logical devices on each chassis and assign physical interfaces to them via FirePOWER Chassis Manager. You allocate as many interfaces as you need for each ASA. At a mimimum you need a data path interface and a failover interface.

How (or if) you use the other 6 physical interfaces on the chassis depends on your network design requirements. Most commonly we will see at least 2 data path interfaces ("inside" and "outside") and possibly those are further given redundancy via bonding two into an Etherchannel. Add a DMZ and you've used up 6 of the 8 available interfaces. If you want a dedicated ASA management interface, that's another one. (The chassis management interface cannot be effectively used for ASA management.)

vaibhav mehta · ‎03-17-2017

So do you mean that we do not need any kind of clustering or anything for the FXOS/firepower chassis ?

we will just bring up the FXOS on each box and create the ASA application on each box and then carry out the necessary configuration on the logical instances.

Marvin Rhoads · ‎03-17-2017

vaibhav_mehta ,

Yes - that's correct.

You must also assign the physical interfaces to the ASA logical device via the FirePOWER Chassis Manager.

vaibhav mehta · ‎05-08-2017

Marvin,

I successfully deployed the HA on firepower.

I have one last question left regarding the AAA configuration on FCM , i did followed the both GUI and Chassis manager guide but i tacacs doesnt seems to be working.

I am doing authentication via ACS server and i am not sure how chassis manager will choose the authentication order in cisco asa we have the option to explicitly tell the device to choose TACACS over Local but i do not see any such option in FCM.

Marvin Rhoads · ‎05-08-2017

Did you see the section on setting the default authentication service?

http://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos211/cli-config/b_CLI_ConfigGuide_FXOS_211/user_management.html#task_C75FA89E7B43479A89A3D69CFCF621EC

If you have set that and it still isn't working, please check your ACS server and see if it is getting failed TACACS+ requests. The Audit log report should show why the authentication or authorization is failing.

Need help in deploying firepower 4100 for ASA HA act/stand