Replace Primary FTDv machine in a HA pair managed by FMCv

Kirill Gulak · ‎12-23-2020

Dear Community,

I would like to clean up my doubts to make a proper plan for migrating primary FTDv from old esxi to new one with better conditions. As I mentioned earlier there is a FTDv HA pair managed by FMCv. So, I found a cisco document

https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/firepower_threat_defense_high_availability.html#id_33798

However, It's a bit a vague for me. As there is nothing to be said about how to retain a configuration running on primary unit.

Though, at some documents I read that after breaking HA pair primary node retains a config and secondary is being vanished.

So, what If I

- switch primary FTDv active unit to secondary FTDv unit

- break the HA pair

- de- register HA pair entirely

Will secondary unit obtain the full configuration which was initially in primary unit? and being active all the time since it was delegated to process the traffic?

So that, I would be able to bring up meantime a new primary unit in the new esxi host without production traffic impact. Then,

- register it as a new device to FMCv

- form new HA pair with existing secondary unit

- new primary FTDv unit join to the new HA pair as a secondary

- existing secondary unit join as primary

Thereby, replicate the previously moved configuration to secondary unit on to "new primary unit".

Please correct me or propose validated steps to achieve requested!

Thank you very much!

Mohammed al Baqari · ‎12-23-2020

Hi,

The primary FTD will retain the config while the secondary will be wiped.
But why are you breaking the HA. You can shutdown the primary, move it to
the new host, being it only, confirm HA establish, then do the same thing
for secondary. You need to make sure that connection is established between
hosts but extending vlans for HA to come online.

***** please remember to rate useful posts

Kirill Gulak · ‎12-24-2020

Hello Mohammed,

Thank you for looking into my question!

The tricky part is that. My virtual FTDs are not installed on shared disk storage meaning vmotioning is not possible. As for the provisioning I am not sure if it's possible? I might not read thoroughly through docs but I didn't see if I am allowed to do so. As that's meaning to transfer the turned off primary vFTD from one esxi dedicated disk storage to another "new" esxi dedicated storage. So, my concern is Does that not involve any inconsistency further with object's ids or anything similar at FMCv then? which would prevent to accept restoring communication between moved machine? or there matters only mac address and ip attached to management interface? udi used as well but it won't changed if I achieved it by transferring as you are suggesting....

I was having an experience of reimaging FTDv due to some conditions. However, not tried transferring between esxi yet.

As for the availability HA interfaces as well as data interfaces there is everything is set over distributed switch where old and new esxi hosts are part of. So, that's not a problem.

Thank you very much!

Mohammed al Baqari · ‎12-24-2020

Understood. One point is you can do storage vmotion if you run esxi post
5.0. Otherwise, you can download the vm folder and upload it to new host.

I see other simpler solutions but go with what you feel comfortable with

Kirill Gulak · ‎12-24-2020

Ok, so I will give a try of simply transferring primary unit without breaking HA at FMCv. However, I will confirm that only after the new year.

Will update the thread afterwards.

Thank you very much!

Kirill Gulak · ‎01-27-2021

Just for the sake of a complete picture. I have conducted a change by going with the next steps:

- Switch the role Secondary to Active;

- Make sure traffic diverted and being processed fine;

- Turn off Primary vFTD;

- Migrate it from one to another esxi;

- Start Primary vFTD;

- See it appeared in Cisco FMCv;

- Switch Roles back to original successfully.

Thank you, Mohammed!