Hello Experts,
We have a pair of 4110 FTD containers configured for Active/Standby HA terminating VPN sessions. In our FMC 6.4 under Overview> Dashboards> Access Controlled User Statistics, the "Active VPN Sessions by Device" widget is showing active VPN terminations on BOTH the active and standby appliances of the HA pair. Consulting the Firepower Management Center Configuration Guide for 6.4 version, there is no mention of terminating incoming VPN sessions to both Active and Standby appliances of the HA pair. Previous experience with ASA suggested the Active node of the pair was the active processing unit, with failover and stateful information being replicated to the standby unit in the event of failover and becoming active.
According to the Cisco Firepower 4100 Series Data Sheet, the FTD 4110 supports a maximum of 10,000 VPN peers (https://www.cisco.com/c/en/us/products/collateral/security/firepower-4100-series/datasheet-c78-742474.html)
Q1: Is this expected behavior (terminating VPN sessions on both Active and Standby units of the HA pair)?
Q2: If yes, is the 10,000 VPN peers support per appliance (i.e., 10,000 on active appliance, 10,000 on standby unit), or is the 10,000 peer support per HA pair?
Thank you,
Brett