Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1911
Views
1
Helpful
15
Replies

Secure Firewall Cluster interface health behavior

bfbcnet
Level 1
Level 1

‎09-11-2024 02:36 PM - edited ‎09-11-2024 03:00 PM

Hi,

I have two questions on the behaviour of 3100 Secure firewalls in a cluster and interface health checks.

We have a pair of 3100 secure firewalls (running FTD), that we have setup in a cluster, managed by FMC. All devices connected to the two FW's use etherchanel across both the members of the cluster. Each FW has two connections to other devices as most of those devices are clustered devices as well (such as switches).

What we have found is that if one of the members of any of the etherchannel links has a fault for whatever reason (maintanence, etc), the FW cluster member that etherchannel member is connected to, goes into a disabled state, taking down all other links on that FW cluster member. This occurs, it appears due to interface health monitoring detecting that an interface is down on one FW cluster member, but not the other one. No matter if it is only an etherchannel member (1 out of 4), so the FW member still has a connection to the destination device.

This behaviour can be stopped by disabling interface health monitoring globally in the health policy for the cluster.

So question number one. Is there a way of stopping this behaviour of a single member of an 4 link etherchannel causing a whole firewall to disable itself, without lossing all interface monitoring capabilities across the cluster? That is can what the behaviour of how the cluster reacts to the link being down be changed, without lossing interface alerts?

Second question is it seems pretty hard to find out what interface has caused the member of the FW cluster to disable itself. When it happens I check cluster, etc health logs, but they don't tell you what interface having a health issue caused the Cluster member to disable itself in the first place. Only that there is a mismatch so one member has disabled itself. I was not able to find much documentation on how to check this and this behaviour in general. Only thing I could find was:

Troubleshoot Firepower Threat Defense (FTD) Cluster - Cisco

The logs it said to check, did not yield what interface was mismatching that caused the cluster member to be disabled.

Thanks in advance for any help of this.

Labels:
15 Replies 15

bfbcnet
Level 1
Level 1

‎09-20-2024 05:52 AM - edited ‎09-20-2024 06:03 AM

In the mean time have upgraded FMC to lastest 7.4x version. FMC has extra dialogs for interface monitoring now, This was global to all interfaces in ver 7.2x. Either on or off for all or none.

bfbcnet_4-1726836588247.png

 

bfbcnet_5-1726836848079.png

To support this is there is extra documentation in FMC that explains that indicates this is standard behaviour.

bfbcnet_2-1726836242250.png

bfbcnet_3-1726836300711.png

I assume this is an architectural issue. I assumed it would work like clustering on switches such as Stackwise Virtual where if there is not a working interface to a destination on one cluster / switch stack member, then the traffic flows over the cluster / stack link between to another member and exits that other member. Looks like this is a problem for FW clustering (maybe due to cluster link bandwidth concerns), so to stop traffic even coming into that member and being dropped, it has to remove itself from the cluser and disable all it's interfaces. Oh well, it is what it is...

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card