cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
135
Views
1
Helpful
0
Replies

Primary FTD looses connection to default gateway

AigarsK
Level 1
Level 1

Hi All,

I am having bizarre issues that occurs time to time when I am doing upgrades on FTD pair in HA. I am managing them using FDM while await CDO licenses.

My typical setup consist of 2x FTD's (FTD1140 and FTD2120 is where issues has been observed), that are configured in HA, HA links are in Port Channels connecting directly between the firewalls.

2x DMZ switches, that are not stacked, to allow for software upgrades down the line when I add second ISP. These DMZ switches have ISP router attached to one of them and then trunk port between DMZ switches ensures that I am able to fail over the firewalls themselves for upgrades etc.

DMZ switches also have uplink to Firewall management interface and additional Port Channels, that are for prod and Guest network that have sub-interfaces to allow for more segmentation.

Overview can be seen in the attached Topo image.

Issue is as followed, I carry out firewall upgrade, do the Secondary first, then await it to come up, sync up, then I fail over to Secondary to become Active (I do not push deployment at this stage as I have seen issues before), then on Primary which is now the Standby firewall I carry out upgrade and await it to reboot, sync up. Then I would go about pushing the Deployment and if all goes well, I switch the HA roles back to intended Primary Active firewall.

Time to time I encounter and issues that site goes down, I have done the config on Outside data interface to allow remote management from our HQ Public IP for both HTTPs and SSH. Interestingly I am able to access Secondary firewall, but not primary. I can check that it remotes good health on Failover state, I am able to ping Primary Active firewall from Secondary Standby firewall no issues. I am able to look up ARP status and I see both on Primary and Secondary firewall and entry for the ISP aka Default Gateway IP address. I can ping it from Secondary Firewall, but not on Primary.

I have tried switching over the Active firewall, and again, only Standby firewall IP address or SSH can be accessed, but this time of course the physical firewall is the mate and vice versa whenever I switch the failover roles. 

It appears as if it consistently just does not work on Primary Active firewall.

I just had this issue, firewalls were left alone for more than 30 minutes before I noticed this, I tried restarting Secondary Standby firewall and connection to Primary got restored, however not sure that it happened due to restart or just some timeout ticked over.

As mentioned, I have seen this on FTD1140 and FTD2120. Software code 7.2.8 and new one 7.4.2.1. Same problem.

What am I missing?

FYI, I did not have access to the DMZ switches in both cases as they were unreachable for me as they both require that S2S to be working, but due to this issue it is not up.

0 Replies 0
Review Cisco Networking for a $25 gift card