ā02-27-2023 04:35 AM
Hi all,
Just a quick question that I wasn't able to google the answer for.
Our FTD pair generates a lot of Informational logs every minute related to:
"IPSEC: An outbound LAN-to-LAN SA (SPI= 0x3E10868E) between 192.168.100.2 and 192.168.100.1 (user= 192.168.100.1) has been deleted."
I know the reason for this syslog, but I'm unable to explain to behavior between the HA pair?
Regards, Michael
ā02-27-2023 05:09 AM
192.168.100.2 and 192.168.100.1 <<- IPsec L2L and both LAN have same subnet this is overlapping
ā02-27-2023 05:46 AM
It's the failover link on the FTDs, and they should be on the same subnet.
ā02-27-2023 07:48 AM - edited ā02-27-2023 07:51 AM
Oh ok,
you use IPsec encrypt to protect the failover link between two FW ??
If yes and you direct connect two FW then you can disable IPsec for failover link
ā02-27-2023 11:24 PM
The FTDs are directly connect, so I could disable IPSec encryption on the failover link.
It still doesn't explain the behavior, which is the part I'm most curious about.
ā02-28-2023 12:48 AM
Just to be clear for my understanding the FTDs are in HA pair. could you please confirm there is no issue between these two HA at all. please do confirm by issuing the command
> show high-availability config
if these FTDs are managed by FMC do you see any alert regards to these appliances in FMC. also please FTD what software version they are on.
ā02-28-2023 02:19 AM
Yes, the FTDs are in a HA setup
---------------------------
Failover On
Failover unit Secondary
Failover LAN Interface: FAILOVER-LAN Port-channel10 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 1288 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.19(1), Mate 9.19(1)
Serial Number: Ours JAD26140ECJ, Mate JAD26140DYS
Last Failover at: 06:53:05 UTC Feb 24 2023
This host: Secondary - Active
Active time: 357600 (sec)
slot 0: FPR-1140 hw/sw rev (0.5/9.19(1)) status (Up Sys)
Interface Po1 (0.0.0.0): Normal (Waiting)
Interface TRANSIT (10.226.47.9): Normal (Not-Monitored)
Interface FACILITY (10.226.32.1): Normal (Not-Monitored)
Interface CCTV (10.226.33.1): Normal (Not-Monitored)
Interface MGMT (0.0.0.0): Link Down (Not-Monitored)
Interface TRADING (10.227.1.1): Normal (Not-Monitored)
Interface NOC (10.227.2.1): Normal (Not-Monitored)
Interface GUEST (10.227.4.1): Normal (Not-Monitored)
Interface OUTSIDE (93.165.156.37): Normal (Monitored)
Interface diagnostic (0.0.0.0): Normal (Waiting)
slot 1: snort rev (1.0) status (up)
slot 2: diskstatus rev (1.0) status (up)
Other host: Primary - Standby Ready
Active time: 2042286 (sec)
Interface Po1 (0.0.0.0): Normal (Waiting)
Interface TRANSIT (0.0.0.0): Normal (Not-Monitored)
Interface FACILITY (0.0.0.0): Normal (Not-Monitored)
Interface CCTV (0.0.0.0): Normal (Not-Monitored)
Interface MGMT (0.0.0.0): Normal (Not-Monitored)
Interface TRADING (0.0.0.0): Normal (Not-Monitored)
Interface NOC (0.0.0.0): Normal (Not-Monitored)
Interface GUEST (0.0.0.0): Normal (Not-Monitored)
Interface OUTSIDE (93.165.156.41): Normal (Monitored)
Interface diagnostic (0.0.0.0): Normal (Waiting)
slot 1: snort rev (1.0) status (up)
slot 2: diskstatus rev (1.0) status (up)
Stateful Failover Logical Update Statistics
Link : FAILOVER-LAN Port-channel10 (up)
Stateful Obj xmit xerr rcv rerr
General 244657629 0 1617715318 9368
sys cmd 319733 0 319730 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 157519482 0 1061619566 7612
UDP conn 81179275 0 531445380 1695
ARP tbl 2786162 0 13122364 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 61722 0 12276 0
VPN IKEv2 P2 56 0 10 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 1209005 0 4740989 0
SIP Tx 1191924 0 4673010 17
SIP Pinhole 295275 0 955632 44
Route Session 4 0 17 0
Router ID 0 0 1 0
User-Identity 93800 0 819541 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Umbrella Device-ID 0 0 0 0
Rule DB B-Sync 0 0 1 0
Rule DB P-Sync 1191 0 6801 0
Rule DB Delete 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 68 1652180014
Xmit Q: 0 20 249280697
ā02-28-2023 02:26 AM
your secondary appliance is in active mode and both peer can see each other. I would assume it could be a cosmetics bug/issue. did you see the same syslog when the primary appliance is in active ?
ā02-28-2023 03:09 AM
can see eath other, but friend @Sheraz.Salim all interface is no-monitor or unknow!!
@Michael BartholomƦussen your last post is delete can you re-post again
ā02-28-2023 03:12 AM - edited ā02-28-2023 03:12 AM
@MHM Cisco World no-monitor mean client do not want to monitor the interface this is an optional not mandatory. in case if one appliance have power outrage it will fall back to other peer either interfaces are in monitor or not monitor on in waiting state.
however, the interface monitoring is in case if interface goes down it will fail the firewall.
ā02-28-2023 03:13 AM
Yes I know but at least one link not all link config with no-monitor.
ā02-28-2023 03:14 AM
I have seen in production network where some client do not want to monitor any interface on the firewall at all. we can argue if it best practice to use monitor command. but its depends on each different network requirement.
ā02-28-2023 03:35 AM
reading into cisco documentation it is mentioned "The failover key uses DES or AES, depending on the installed license. It also uses MD5 as the hash to authenticate the message. Therefore, it is important that both appliances use the same cipher license key"
ā02-28-2023 04:21 AM
We tried to switch active peer, but the syslog persists.
ā02-28-2023 03:26 AM
disabled Ipsec Anti Replay Window <<- disable the anti-replay window and check again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide