08-08-2022 08:23 AM
Have to replace a faulty secondary firepower, I am trying to delete the secondary from FMC that is setup in HA , but I cannot find the correct information to delete this.
I can click the bin button, but get this error "Confirm Delete" see below, and I am not sure ho to proceed.
But I am guessing the primary will run as it is then I should be able to delete the secondary then re-add the new firewall.
TIA
Solved! Go to Solution.
08-15-2022 03:03 AM
I dont see how this would take 20 minutes. I have never tried the "force" option but for a regular break it is just the deployment time.
08-08-2022 08:33 AM
follow below thread :
08-08-2022 11:20 AM
Well the error message is telling you how to delete the high availability configuration. You go into the CLI and issue the command "configure high-availability disable". I would suggest performing a device backup of the primary / active FTD before doing this, that way you will have a quick way back should the current active happen to lose its configuration.
08-08-2022 01:21 PM
can click the bin button, but get this error "Confirm Delete" see below, and I am not sure ho to proceed.
In order to replace the faulty appliances you need to break the HA pair. Therefore your approach is right but its understandable as these appliances are in the production so you want to be extra carefull. having said that, its safe to press the "Confirm Delete".
But I am guessing the primary will run as it is then I should be able to delete the secondary then re-add the new firewall.
you are absolutely correct. once you break the HA pair. The Primay active firewall stay in production and service/serve the traffic. it will not impact on your production traffic in any means. There is no need to go into CLI of the FTD and issue the command. FMC do all labour work for you.
NOTE: When we break the HA pair only the failover configuration are removed on both firewalls. by default, Firewall is in always in "Secondary" mode. That is why when we steup the HA pair we manually setup one appliance as "Primary".
Here Cisco official document explain the process of breaking the HA-FTD pair.
Once you get your new appliance FTD you need to make the HA-pair again. In that case make sure you make your primary appliance in production as primary. in case if you make new appliance primary, this appliance will wipe your production configuration. in that case in order to get the issue fix you have to apply the FTD restore. Just a caution thought to mentioned this. All the best.
08-08-2022 10:38 PM
I agree with @Sheraz.Salim as we have ran into this issue in the past with one of our HA pairs. Take backup of Primary, make note of all the settings of the secondary instance on the chassis, break HA pair and then delete secondary from FMC. Delete instance from chassis, reinstall new instance with same settings, bring back into FMC and rebuild HA pair.
08-09-2022 12:27 AM
Your approach is correct.
Before you break the HA, make sure to take a screenshot of the interface page, so that once you re-add another unit as HA, you have all the info such as secondary IP address, any specific mac address entered etc.
Regards,
Chakshu
08-09-2022 12:39 AM
08-09-2022 01:26 AM
could you issue the command configure high-availability disable on the Primary FTD.
Marvin answer a similar post with similar issue.
You can capture all of the relevant VPN parameters from either screenshots via a "show run" from the cli.
If you need the preshared key you can go to the lina cli (system support diagnostic-cli) and use "more system:running-config".
Then you can remove the config in FMC and delete the device and use the parameters you've gathered to recreate it later on the new device. It only takes 10-15 minutes to do so.
08-09-2022 01:38 AM - edited 08-09-2022 01:49 AM
first off make sure you have a complete backup of your FMC and FTD devices before you begin.
08-10-2022 12:53 AM - edited 08-10-2022 12:53 AM
Found a different way to get the FTD added to FMC
By changing the IP in the Device settings, allowed me to add the device to FMC
See attached pic.
My new issue is now that I have the FTD in FMC it will not allow me to upgrade to same firmware as the primary.
Primary is 6.6.5.2
Secondary 6.6.5
08-10-2022 01:22 AM
is the FTD still in HA remember that deleting it from the HA in GUI does not disable HA at in the firewall (as mentioned in the message you get when deleting the HA pair in GUI)? might be that you need to make the FTD a standalone, then upgrade, then add it back to the HA pair.
08-10-2022 03:26 AM
As mentioned by @Marius Gunnerud you need to make sure prior to making the HA pair the same software version match on the FTDs otherwise the HA will not make a pair.
The 2 units in the HA must:
08-12-2022 01:10 PM
If rest everything else is in place, and there is just the minor version mismatch, there is a way to install the update via root for the secondary device.
You will need to push the file 6.6.5.2 to FTD in path
/var/sf/updates/
using wget and then install it via command:
install_update.pl /var/sf/updates/<name of the upgrade package> --detach
e.g.
install_update.pl /var/sf/updates/Cisco_FTD_SSP_FP2K_Upgrade-6.6.1-91.sh.REL.tar --detach
You might want to get TAC support if you need assistance with this and you are unable to place the file in the directory /var/sf/updates
Regards,
Chakshu
Do rate helpful posts!
08-12-2022 01:48 PM - edited 08-12-2022 01:49 PM
instead of doing all this hassel from the FTD CLI. why not once the FTD is added in the FMC. Prior to making the HA pair push the minor patch update from the FMC update tab (you only need to download the minor software from cisco download and upload into the FMC). more save method without involving the TAC support when using the FTD CLI and things go wrong.
once the FTD update is done. processed to make the HA pair.
08-13-2022 12:09 AM
Because Garry has mentioned this "My new issue is now that I have the FTD in FMC it will not allow me to upgrade to same firmware as the primary."
Regards,
Chakshu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide