4110 FTD 6.4 - Active Standby HA for VPN, both appliances terminating VPN sessions

beitland · ‎07-07-2020

Hello Experts,

We have a pair of 4110 FTD containers configured for Active/Standby HA terminating VPN sessions. In our FMC 6.4 under Overview> Dashboards> Access Controlled User Statistics, the "Active VPN Sessions by Device" widget is showing active VPN terminations on BOTH the active and standby appliances of the HA pair. Consulting the Firepower Management Center Configuration Guide for 6.4 version, there is no mention of terminating incoming VPN sessions to both Active and Standby appliances of the HA pair. Previous experience with ASA suggested the Active node of the pair was the active processing unit, with failover and stateful information being replicated to the standby unit in the event of failover and becoming active.

According to the Cisco Firepower 4100 Series Data Sheet, the FTD 4110 supports a maximum of 10,000 VPN peers (https://www.cisco.com/c/en/us/products/collateral/security/firepower-4100-series/datasheet-c78-742474.html)

Q1: Is this expected behavior (terminating VPN sessions on both Active and Standby units of the HA pair)?

Q2: If yes, is the 10,000 VPN peers support per appliance (i.e., 10,000 on active appliance, 10,000 on standby unit), or is the 10,000 peer support per HA pair?

Thank you,

Brett

Marvin Rhoads · ‎07-08-2020

The VPN sessions of the active FTD member in an ha pair are replicated to the standby member. FMC is showing the result of that and not (as one might think without knowing more) the actual client session being handled. This allows for graceful handoff such that a client session is not dropped when there is a failover event.

The limit remains 10,000 concurrent peer sessions whether a device is standalone or a member of an HA pair.