Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3878
Views
70
Helpful
19
Replies

Replace Secondary Firepower when in HA

Go to solution
Garry Cooper
Level 1
Level 1

‎08-08-2022 08:23 AM

Have to replace a faulty secondary firepower, I am trying to delete the secondary from FMC that is setup in HA , but I cannot find the correct information to delete this.

I can click the bin button, but get this error "Confirm Delete" see below, and I am not sure ho to proceed.

But I am guessing the primary will run as it is then I should be able to delete the secondary then re-add the new firewall.

TIA

 

 

 

Preview file
48 KB
Preview file
28 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to Garry Cooper

‎08-15-2022 03:03 AM

I dont see how this would take 20 minutes.  I have never tried the "force" option but for a regular break it is just the deployment time.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

19 Replies 19

Go to solution
Marius Gunnerud
VIP
VIP

‎08-08-2022 11:20 AM

Well the error message is telling you how to delete the high availability configuration.  You go into the CLI and issue the command "configure high-availability disable".  I would suggest performing a device backup of the primary / active FTD before doing this, that way you will have a quick way back should the current active happen to lose its configuration.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
Sheraz.Salim
VIP
VIP

‎08-08-2022 01:21 PM

can click the bin button, but get this error "Confirm Delete" see below, and I am not sure ho to proceed.

In order to replace the faulty appliances you need to break the HA pair. Therefore your approach is right but its understandable as these appliances are in the production so you want to be extra carefull. having said that, its safe to press the "Confirm Delete".

But I am guessing the primary will run as it is then I should be able to delete the secondary then re-add the new firewall.

you are absolutely correct. once you break the HA pair. The Primay active firewall stay in production and service/serve the traffic. it will not impact on your production traffic in any means. There is no need to go into CLI of the FTD and issue the command. FMC do all labour work for you.

 

NOTE: When we break the HA pair only the failover configuration are removed on both firewalls. by default, Firewall is in always in "Secondary" mode. That is why when we steup the HA pair we manually setup one appliance as "Primary".

 

Here Cisco official document explain the process of breaking the HA-FTD pair.

 

 

Once you get your new appliance FTD you need to make the HA-pair again. In that case make sure you make your primary appliance in production as primary. in case if you make new appliance primary, this appliance will wipe your production configuration. in that case in order to get the issue fix you have to apply the FTD restore. Just a caution thought to mentioned this. All the best.

please do not forget to rate.

Go to solution
manofsteel03
Level 1
Level 1

‎08-08-2022 10:38 PM

I agree with @Sheraz.Salim as we have ran into this issue in the past with one of our HA pairs. Take backup of Primary, make note of all the settings of the secondary instance on the chassis, break HA pair and then delete secondary from FMC. Delete instance from chassis, reinstall new instance with same settings, bring back into FMC and rebuild HA pair.

Go to solution
Chakshu Piplani
Cisco Employee
Cisco Employee

‎08-09-2022 12:27 AM

Your approach is correct.

Before you break the HA, make sure to take a screenshot of the interface page, so that once you re-add another unit as HA, you have all the info such as secondary IP address, any specific mac address entered etc.

Regards,

Chakshu

Go to solution
Garry Cooper
Level 1
Level 1
In response to Chakshu Piplani

‎08-09-2022 12:39 AM

Thanks for the replies, but tried this morning to delete the secondary ftd but get this error.

Error

The Device NCC-Civic-FTD-HA cannot be deleted because the following VPN Configuration(s) refer to this device.

See attached image.

Preview file
22 KB
0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to Garry Cooper

‎08-09-2022 01:26 AM

could you issue the command configure high-availability disable on the Primary FTD.

Marvin answer a similar post with similar issue.

 

https://community.cisco.com/t5/network-security/cannot-delete-a-ftd-device-from-fmc-when-l2l-vpn-tunnel-is/td-p/4506257

You can capture all of the relevant VPN parameters from either screenshots via a "show run" from the cli.

If you need the preshared key you can go to the lina cli (system support diagnostic-cli) and use "more system:running-config".

Then you can remove the config in FMC and delete the device and use the parameters you've gathered to recreate it later on the new device. It only takes 10-15 minutes to do so.

please do not forget to rate.

Go to solution
Marius Gunnerud
VIP
VIP
In response to Garry Cooper

‎08-09-2022 01:38 AM - edited ‎08-09-2022 01:49 AM

first off make sure you have a complete backup of your FMC and FTD devices before you begin.

  1. unplug the failed FTD data interfaces from the network (if the cables are not marked, i suggest either marking them or at least taking note of which port each cable connects to on the FTD and the switch)
  2. Via CLI issue the command configure high-availability disable on the failed device.
--
Please remember to select a correct answer and rate helpful posts

Go to solution
Garry Cooper
Level 1
Level 1
In response to Marius Gunnerud

‎08-10-2022 12:53 AM - edited ‎08-10-2022 12:53 AM

Found a different way to get the FTD added to FMC

By changing the IP in the Device settings, allowed me to add the device to FMC

See attached pic.

My new issue is now that I have the FTD in FMC it will not allow me to upgrade to same firmware as the primary.

Primary is 6.6.5.2

Secondary 6.6.5

Preview file
58 KB
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Garry Cooper

‎08-10-2022 01:22 AM

is the FTD still in HA remember that deleting it from the HA in GUI does not disable HA at in the firewall (as mentioned in the message you get when deleting the HA pair in GUI)? might be that you need to make the FTD a standalone, then upgrade, then add it back to the HA pair.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
Sheraz.Salim
VIP
VIP
In response to Marius Gunnerud

‎08-10-2022 03:26 AM

As mentioned by @Marius Gunnerud you need to make sure prior to making the HA pair the same software version match on the FTDs otherwise the HA will not make a pair.

The 2 units in the HA must:

  • Be the same model
  • Have the same number and types of interfaces
  • Be in the same firewall mode (routed or transparent)
  • Have the same software version
  • Be in the same domain or group on the FMC
  • Have the same NTP configuration
  • Be fully deployed on the FMC with no uncommitted changes
  • Not have DHCP or PPPoE configuration in any of their interfaces
  • FTD devices in HA mush have the same license
  • HA configurations require two smart license entitlements; one for each device in the pair.
please do not forget to rate.

Go to solution
Chakshu Piplani
Cisco Employee
Cisco Employee
In response to Garry Cooper

‎08-12-2022 01:10 PM

If rest everything else is in place, and there is just the minor version mismatch, there is a way to install the update via root for the secondary device.

You will need to push the file 6.6.5.2 to FTD in path 

 

/var/sf/updates/

 

using wget and then install it via command:

 

install_update.pl /var/sf/updates/<name of the upgrade package> --detach

e.g.

install_update.pl /var/sf/updates/Cisco_FTD_SSP_FP2K_Upgrade-6.6.1-91.sh.REL.tar --detach

 

You might want to get TAC support if you need assistance with this and you are unable to place the file in the directory /var/sf/updates

Regards,

Chakshu

Do rate helpful posts!

Go to solution
Sheraz.Salim
VIP
VIP
In response to Chakshu Piplani

‎08-12-2022 01:48 PM - edited ‎08-12-2022 01:49 PM

instead of doing all this hassel from the FTD CLI. why not once the FTD is added in the FMC. Prior to making the HA pair push the minor patch update from the FMC update tab (you only need to download the minor software from cisco download and upload into the FMC). more save method without involving the TAC support when using the FTD CLI and things go wrong.

 

once the FTD update is done. processed to make the HA pair.

please do not forget to rate.

Go to solution
Chakshu Piplani
Cisco Employee
Cisco Employee
In response to Sheraz.Salim

‎08-13-2022 12:09 AM

Because Garry has mentioned this "My new issue is now that I have the FTD in FMC it will not allow me to upgrade to same firmware as the primary."

Regards,

Chakshu

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card