Configure FTD High Availability On Firepower Appliances: Requirements

Configure FTD High Availability on Firepower
Appliances
Contents
Introduction
Prerequisites
Requirements
Components Used
Task 1. Verify Conditions
Task 2. Configure FTD HA on FPR9300
Conditions
Task 3. Verify FTD HA and License
Task 4. Switch the Failover Roles
Task 5. Break the HA Pair
Task 6. Disable HA pair
Task 7. Suspend HA
Frequently Asked Questions (FAQ)
Related Information
Introduction
This document describes how to configure and verify Firepower Threat Defense (FTD) High
Availability (HA) (Active/Standby failover) on FPR9300.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on these software and hardware versions:
● 2xCisco Firepower 9300 Security Appliance - FXOS SW 2.0(1.23)

● FTD running 6.0.1.1 (build 1023)
● Firepower Management Center (FMC) - SW 6.0.1.1 (build 1023)
The information in this document was created from the devices in a specific lab environment. All of
the devices used in this document started with a cleared (default) configuration. If your network is
live, ensure that you understand the potential impact of any command.
Note: On a FPR9300 appliance with FTD, you can configure only inter-chassis HA. The two
units in a HA configuration must meet the conditions mentioned here.
Task 1. Verify Conditions

Task requirement:
Verify that both FTD appliances meet the note requirements and it can be configured as HA units.
Solution:
Step 1. Connect to the FPR9300 Management IP and verify the module hardware.
Verify the FPR9300-1 hardware.
KSEC-FPR9K-1-A# show server inventory

Server Equipped PID Equipped VID Equipped Serial (SN) Slot Status Ackd Memory (MB) Ackd
Cores
------- ------------ ------------ -------------------- ---------------- ---------------- -------
---
1/1 FPR9K-SM-36 V01 FLM19216KK6 Equipped 262144
36
1/2 FPR9K-SM-36 V01 FLM19206H71 Equipped 262144
36
1/3 FPR9K-SM-36 V01 FLM19206H7T Equipped 262144
36
KSEC-FPR9K-1-A#
Verify the FPR9300-2 hardware.
KSEC-FPR9K-2-A# show server inventory

Server Equipped PID Equipped VID Equipped Serial (SN) Slot Status Ackd Memory (MB) Ackd
Cores
------- ------------ ------------ -------------------- ---------------- ---------------- -------
---
1/1 FPR9K-SM-36 V01 FLM19206H9T Equipped 262144
36
1/2 FPR9K-SM-36 V01 FLM19216KAX Equipped 262144
36
1/3 FPR9K-SM-36 V01 FLM19267A63 Equipped 262144
36
KSEC-FPR9K-2-A#
Step 2. Log into the FPR9300-1 Chassis Manager and navigate to Logical Devices.
Verify the software version, number and the type of interfaces as shown in the images.
FPR9300-1
FPR9300-2
Task 2. Configure FTD HA on FPR9300

Task requirement:
Configure Active/Standby failover (HA) as per this diagram.
Solution:
Both FTD devices are already registered on the FMC as shown in the image.
Step 1. In order to configure FTD failover, navigate to Devices > Device Management and
select Add High Availability as shown in the image.
Step 2. Enter the Primary Peer and the Secondary Peer and select Continue as shown in the
image.
Conditions
In order to create an HA between 2 FTD devices, these conditions must be met:
● Same model
● Same version (this applies to FXOS and to FTD - (major (first number), minor (second
number), and maintenance (third number) must be equal))
● Same number of interfaces
● Same type of interfaces
● Both devices as part of same group/domain in FMC
● Have identical Network Time Protocol (NTP) configuration
● Be fully deployed on the FMC without uncommitted changes
● Be in the same firewall mode: routed or transparent.
● Note that this must be checked on both FTD devices and FMC GUI since there have
been cases where the FTDs had the same mode, but FMC does not reflect this.
● Does not have DHCP/Point-to-Point Protocol over Ethernet (PPPoE) configured in any of the
interface
● Different hostname (Fully Qualified Domain Name (FQDN)) for both chassis. In order to check
the chassis hostname navigate to FTD CLI and run this command
firepower# show chassis-management-url
https://KSEC-FPR9K-1.cisco.com:443//
Note: In post-6.3 FTD use the command 'show chassis detail'

firepower# show chassis detail
Chassis URL : https://KSEC-FPR4100-1:443//
Chassis IP : 192.0.2.1
Chassis Serial Number : JMX12345678
Security Module : 1
If both chassis have the same name, change the name in one of them with the use of
these commands:
KSEC-FPR9K-1-A# scope system

KSEC-FPR9K-1-A /system # set name FPR9K-1new
Warning: System name modification changes FC zone name and redeploys them non-disruptively
KSEC-FPR9K-1-A /system* # commit-buffer
FPR9K-1-A /system # exit
FPR9K-1new-A#
After you change the chassis name, unregister the FTD from the FMC and register it again. Then,
proceed with the HA Pair creation.
Step 3. Configure the HA and state the links settings.
In your case, the state link has the same settings as the High Availability Link.
Select Add and wait for a few minutes for the HA pair to be deployed as shown in the image.
Step 4. Configure the Data interfaces (primary and standby IP addresses)

From the FMC GUI, select the HA Edit as shown in the image.
Step 5. Configure the Interface settings as shown in the images.
Ethernet 1/5 interface.
Ethernet 1/6 interface.

Step 6. Navigate to High Availability and select the Interface Name Edit to add the standby IP
addresses as shown in the image.
Step 7. For the Inside interface as shown in the image.

Step 8. Do the same for the Outside interface.
Step 9. Verify the result as shown in the image.
Step 10. Stay on the High Availability tab and configure Virtual MAC addresses as shown in the
image.
Step 11. For the Inside Interface is as shown in the image.

Step 12. Do the same for the Outside interface.
Step 14. After you configure the changes, select Save and Deploy.
Task 3. Verify FTD HA and License

Task requirement:
Verify the FTD HA settings and enabled Licenses from the FMC GUI and from FTD CLI.
Solution:
Step 1. Navigate to Summary and check the HA settings and enabled Licenses as shown in the
image.
Step 2. From the FTD CLISH CLI, run these commands:

> show high-availability config
Failover On
Failover unit Primary
Failover LAN Interface: fover_link Ethernet1/4 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 1041 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.6(1), Mate 9.6(1)
Serial Number: Ours FLM19267A63, Mate FLM19206H7T
Last Failover at: 18:32:38 EEST Jul 21 2016
This host: Primary - Active
Active time: 3505 (sec)
slot 0: UCSB-B200-M3-U hw/sw rev (0.0/9.6(1)) status (Up Sys)
Interface diagnostic (0.0.0.0): Normal (Waiting)
slot 1: snort rev (1.0) status (up)
slot 2: diskstatus rev (1.0) status (up)
Other host: Secondary - Standby Ready
Active time: 172 (sec)
slot 0: UCSB-B200-M3-U hw/sw rev (0.0/9.6(1)) status (Up Sys)
Interface diagnostic (0.0.0.0): Normal (Waiting)
slot 1: snort rev (1.0) status (up)
slot 2: diskstatus rev (1.0) status (up)
Stateful Failover Logical Update Statistics

Link : fover_link Ethernet1/4 (up)
Stateful Obj xmit xerr rcv rerr
General417 0 416 0
sys cmd 416 0 416 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 1 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Logical Update Queue Information

Cur Max Total
Recv Q: 0 10 416
Xmit Q: 0 11 2118
>
Step 3. Do the same on the Secondary device.
Step 4. Run the show failover state command from the LINA CLI:
firepower# show failover state
State Last Failure Reason Date/Time

This host - Primary
Active None
Other host - Secondary
Standby Ready Comm Failure 18:32:56 EEST Jul 21 2016
====Configuration State===
Sync Done
====Communication State===
Mac set
firepower#
Step 5. Verify the configuration from the Primary unit (LINA CLI):
firepower# show running-config failover

failover
failover lan unit primary
failover lan interface fover_link Ethernet1/4
failover mac address Ethernet1/5 aaaa.bbbb.1111 aaaa.bbbb.2222
failover mac address Ethernet1/6 aaaa.bbbb.3333 aaaa.bbbb.4444
failover link fover_link Ethernet1/4
failover interface ip fover_link 1.1.1.1 255.255.255.0 standby 1.1.1.2
firepower#
firepower# show running-config interface

!
interface Ethernet1/2
management-only
nameif diagnostic
security-level 0
no ip address
!
description LAN/STATE Failover Interface
!
nameif Inside
security-level 0
ip address 192.168.75.10 255.255.255.0 standby 192.168.75.11
!
nameif Outside
security-level 0
ip address 192.168.76.10 255.255.255.0 standby 192.168.76.11
firepower#
Task 4. Switch the Failover Roles

Task requirement:
From the FMC, switch the failover roles from Primary/Active, Secondary/Standby to
Primary/Standby, Secondary/Active
Solution:
Step 1. Select the icon as shown in the image.
Step 2. Confirm the action on the pop-up window as shown in the image.
From the LINA CLI, you can see that the command no failover active was executed on the
Primary/Active unit:
Jul 22 2016 10:39:26: %ASA-5-111008: User 'enable_15' executed the 'no failover active' command.
Jul 22 2016 10:39:26: %ASA-5-111010: User 'enable_15', running 'N/A' from IP 0.0.0.0, executed
'no failover active'
You can also verify it in the show failover history command output:
firepower# show failover history

==========================================================================
From State To State Reason
10:39:26 EEST Jul 22 2016
Active Standby Ready Set by the config command
Step 4. After the verification, make the Primary unit Active again.
Task 5. Break the HA Pair

Task requirement:
From the FMC, break the failover pair.
Solution:
Step 2. Check the notification as shown in the image.
Step 3. Note the message as shown in the image.
Step 4. Verify the result from the FMC GUI as shown in the image.
show running-config on the Primary unit before and after the HA break:
Before HA Break After HA Break
firepower# sh run firepower# sh run
: Saved : Saved
: :
: Serial Number: FLM19267A63 : Serial Number: FLM19267A63
: Hardware: FPR9K-SM-36, 135839 MB RAM, CPU Xeon E5 : Hardware: FPR9K-SM-36, 135839 MB
series 2294 MHz, 2 CPUs (72 cores) series 2294 MHz, 2 CPUs (72 cores)
: :
NGFW Version 6.0.1.1 NGFW Version 6.0.1.1
! !
hostname firepower hostname firepower
enable password 8Ry2YjIyt7RRXU24 encrypted enable password 8Ry2YjIyt7RRXU24 enc
names names
! !
interface Ethernet1/2 interface Ethernet1/2
management-only management-only
nameif diagnostic nameif diagnostic
security-level 0 security-level 0
no ip address no ip address
! !
description LAN/STATE Failover Interface no nameif
! no security-level
interface Ethernet1/5 no ip address
nameif Inside !
security-level 0 interface Ethernet1/5
ip address 192.168.75.10 255.255.255.0 standby nameif Inside
192.168.75.11 security-level 0
! ip address 192.168.75.10 255.255.255.0
interface Ethernet1/6 192.168.75.11
nameif Outside !
security-level 0 interface Ethernet1/6
ip address 192.168.76.10 255.255.255.0 standby nameif Outside
192.168.76.11 security-level 0
! ip address 192.168.76.10 255.255.255.0
ftp mode passive 192.168.76.11
ngips conn-match vlan-id !
access-list CSM_FW_ACL_ remark rule-id 268447744: ftp mode passive
ACCESS POLICY: FTD9300 - Mandatory/1 ngips conn-match vlan-id
access-list CSM_FW_ACL_ remark rule-id 268447744: L4 access-list CSM_FW_ACL_ remark rule-i
RULE: Allow_ICMP ACCESS POLICY: FTD9300 - Mandatory
access-list CSM_FW_ACL_ advanced permit icmp any any access-list CSM_FW_ACL_ remark rule-i
rule-id 268447744 event-log both RULE: Allow_ICMP
access-list CSM_FW_ACL_ remark rule-id 268441600: access-list CSM_FW_ACL_ advanced pe
ACCESS POLICY: FTD9300 - Default/1 rule-id 268447744 event-log both
RULE: DEFAULT ACTION RULE ACCESS POLICY: FTD9300 - Default/1
access-list CSM_FW_ACL_ advanced permit ip any any rule-id access-list CSM_FW_ACL_ remark rule-i
268441600 RULE: DEFAULT ACTION RULE
! access-list CSM_FW_ACL_ advanced pe
tcp-map UM_STATIC_TCP_MAP 268441600
tcp-options range 6 7 allow !
tcp-options range 9 255 allow tcp-map UM_STATIC_TCP_MAP
urgent-flag allow tcp-options range 6 7 allow
! tcp-options range 9 255 allow
no pager urgent-flag allow
logging enable !
logging timestamp no pager
logging standby logging enable
logging buffer-size 100000 logging timestamp
logging buffered debugging logging standby
logging flash-minimum-free 1024 logging buffer-size 100000
logging flash-maximum-allocation 3076 logging buffered debugging
mtu diagnostic 1500 logging flash-minimum-free 1024
mtu Inside 1500 logging flash-maximum-allocation 3076
mtu Outside 1500 mtu diagnostic 1500
failover mtu Inside 1500
failover lan unit primary mtu Outside 1500
failover lan interface fover_link Ethernet1/4 no failover
failover replication http no monitor-interface service-module
failover mac address Ethernet1/5 aaaa.bbbb.1111 icmp unreachable rate-limit 1 burst-size 1
aaaa.bbbb.2222 no asdm history enable
failover mac address Ethernet1/6 aaaa.bbbb.3333 arp timeout 14400
aaaa.bbbb.4444 no arp permit-nonconnected
failover link fover_link Ethernet1/4 access-group CSM_FW_ACL_ global
failover interface ip fover_link 1.1.1.1 255.255.255.0 timeout xlate 3:00:00
standby 1.1.1.2 timeout pat-xlate 0:00:30
icmp unreachable rate-limit 1 burst-size 1 timeout conn 1:00:00 half-closed 0:10:00
no asdm history enable 0:02:00 icmp 0:00:02
arp timeout 14400 timeout sunrpc 0:10:00 h323 0:05:00 h22
no arp permit-nonconnected 0:05:00 mgcp-pat 0:05:00
access-group CSM_FW_ACL_ global timeout sip 0:30:00 sip_media 0:02:00 sip
timeout xlate 3:00:00 disconnect 0:02:00
timeout pat-xlate 0:00:30 timeout sip-provisional-media 0:02:00 uau
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp timeout tcp-proxy-reassembly 0:00:30
0:02:00 icmp 0:00:02 timeout floating-conn 0:00:00
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp aaa proxy-limit disable
0:05:00 mgcp-pat 0:05:00 no snmp-server location
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- no snmp-server contact
disconnect 0:02:00 no snmp-server enable traps snmp authe
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute linkdown coldstart warmstart
timeout tcp-proxy-reassembly 0:00:30 crypto ipsec security-association pmtu-ag
timeout floating-conn 0:00:00 crypto ca trustpool policy
aaa proxy-limit disable telnet timeout 5
no snmp-server location ssh stricthostkeycheck
no snmp-server contact ssh timeout 5
no snmp-server enable traps snmp authentication linkup ssh key-exchange group dh-group1-sha1
linkdown coldstart warmstart console timeout 0
crypto ipsec security-association pmtu-aging infinite dynamic-access-policy-record DfltAccess
crypto ca trustpool policy !
telnet timeout 5 class-map inspection_default
ssh stricthostkeycheck match default-inspection-traffic
ssh timeout 5 !
ssh key-exchange group dh-group1-sha1 !
console timeout 0 policy-map type inspect dns preset_dns_m
dynamic-access-policy-record DfltAccessPolicy parameters
!
class-map inspection_default
match default-inspection-traffic
! message-length maximum client auto
! message-length maximum 512
policy-map type inspect dns preset_dns_map policy-map type inspect ip-options
parameters UM_STATIC_IP_OPTIONS_MAP
message-length maximum client auto parameters
message-length maximum 512 eool action allow
policy-map type inspect ip-options nop action allow
UM_STATIC_IP_OPTIONS_MAP router-alert action allow
parameters policy-map global_policy
eool action allow class inspection_default
nop action allow inspect dns preset_dns_map
router-alert action allow inspect ftp
policy-map global_policy inspect h323 h225
class inspection_default inspect h323 ras
inspect dns preset_dns_map inspect rsh
inspect ftp inspect rtsp
inspect h323 h225 inspect sqlnet
inspect h323 ras inspect skinny
inspect rsh inspect sunrpc
inspect rtsp inspect xdmcp
inspect sqlnet inspect sip
inspect skinny inspect netbios
inspect sunrpc inspect tftp
inspect xdmcp inspect icmp
inspect sip inspect icmp error
inspect netbios inspect dcerpc
inspect tftp inspect ip-options UM_STATIC_IP_OPTIO
inspect icmp class class-default
inspect icmp error set connection advanced-options UM_ST
inspect dcerpc !
inspect ip-options UM_STATIC_IP_OPTIONS_MAP service-policy global_policy global
class class-default prompt hostname context
set connection advanced-options UM_STATIC_TCP_MAP call-home
! profile CiscoTAC-1
service-policy global_policy global no active
prompt hostname context destination address http
call-home https://tools.cisco.com/its/service/oddce/s
profile CiscoTAC-1 destination address email callhome@cisc
no active destination transport-method http
destination address http subscribe-to-alert-group diagnostic
https://tools.cisco.com/its/service/oddce/services/DDCEService subscribe-to-alert-group environment
destination address email [email protected] subscribe-to-alert-group inventory periodi
destination transport-method http subscribe-to-alert-group configuration per
subscribe-to-alert-group diagnostic subscribe-to-alert-group telemetry periodi
subscribe-to-alert-group environment Cryptochecksum:fb6f5c369dee730b9125
subscribe-to-alert-group inventory periodic monthly : end
subscribe-to-alert-group configuration periodic monthly firepower#
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:933c594fc0264082edc0f24bad358031
: end
firepower#
show running-config on the Secondary unit before and after the HA break is as shown in the
table here.
Before HA Break After HA Break

: Saved : Saved
: :
: Serial Number: FLM19206H7T : Serial Number: FLM19206H7T
: :
! !
names names
! !
! !
description LAN/STATE Failover Interface shutdown
! no nameif
interface Ethernet1/5 no security-level
nameif Inside no ip address
security-level 0 !
ip address 192.168.75.10 255.255.255.0 standby interface Ethernet1/5
192.168.75.11 shutdown
! no nameif
interface Ethernet1/6 no security-level
nameif Outside no ip address
security-level 0 !
ip address 192.168.76.10 255.255.255.0 standby interface Ethernet1/6
192.168.76.11 shutdown
! no nameif
ftp mode passive no security-level
ngips conn-match vlan-id no ip address
access-list CSM_FW_ACL_ remark rule-id 268447744: !
ACCESS POLICY: FTD9300 - Mandatory/1 ftp mode passive
access-list CSM_FW_ACL_ remark rule-id 268447744: L4 ngips conn-match vlan-id
RULE: Allow_ICMP access-list CSM_FW_ACL_ remark rule-i
access-list CSM_FW_ACL_ advanced permit icmp any any ACCESS POLICY: FTD9300 - Mandatory
rule-id 268447744 event-log both access-list CSM_FW_ACL_ remark rule-i
access-list CSM_FW_ACL_ remark rule-id 268441600: RULE: Allow_ICMP
ACCESS POLICY: FTD9300 - Default/1 access-list CSM_FW_ACL_ advanced pe
access-list CSM_FW_ACL_ remark rule-id 268441600: L4 rule-id 268447744 event-log both
RULE: DEFAULT ACTION RULE access-list CSM_FW_ACL_ remark rule-i
access-list CSM_FW_ACL_ advanced permit ip any any rule-id ACCESS POLICY: FTD9300 - Default/1
268441600 access-list CSM_FW_ACL_ remark rule-i
! RULE: DEFAULT ACTION RULE
tcp-map UM_STATIC_TCP_MAP access-list CSM_FW_ACL_ advanced pe
tcp-options range 6 7 allow 268441600
tcp-options range 9 255 allow !
urgent-flag allow tcp-map UM_STATIC_TCP_MAP
! tcp-options range 6 7 allow
no pager tcp-options range 9 255 allow
logging enable urgent-flag allow
logging timestamp !
logging standby no pager
logging buffer-size 100000 no logging message 106015
logging buffered debugging no logging message 313001
logging flash-minimum-free 1024 no logging message 313008
logging flash-maximum-allocation 3076 no logging message 106023
mtu diagnostic 1500 no logging message 710003
mtu Inside 1500 no logging message 106100
mtu Outside 1500 no logging message 302015
failover no logging message 302014
failover lan unit secondary no logging message 302013
failover lan interface fover_link Ethernet1/4 no logging message 302018
failover replication http no logging message 302017
failover mac address Ethernet1/5 aaaa.bbbb.1111 no logging message 302016
aaaa.bbbb.2222 no logging message 302021
failover mac address Ethernet1/6 aaaa.bbbb.3333 no logging message 302020
aaaa.bbbb.4444 mtu diagnostic 1500
failover link fover_link Ethernet1/4 no failover
failover interface ip fover_link 1.1.1.1 255.255.255.0 no monitor-interface service-module
standby 1.1.1.2 icmp unreachable rate-limit 1 burst-size 1
icmp unreachable rate-limit 1 burst-size 1 no asdm history enable
no asdm history enable arp timeout 14400
arp timeout 14400 no arp permit-nonconnected
no arp permit-nonconnected access-group CSM_FW_ACL_ global
access-group CSM_FW_ACL_ global timeout xlate 3:00:00
timeout xlate 3:00:00 timeout pat-xlate 0:00:30
timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h22
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00
disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uau
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:00:30
timeout tcp-proxy-reassembly 0:00:30 timeout floating-conn 0:00:00
timeout floating-conn 0:00:00 aaa proxy-limit disable
user-identity default-domain LOCAL no snmp-server location
aaa proxy-limit disable no snmp-server contact
no snmp-server location no snmp-server enable traps snmp authe
no snmp-server contact linkdown coldstart warmstart
no snmp-server enable traps snmp authentication linkup crypto ipsec security-association pmtu-ag
linkdown coldstart warmstart crypto ca trustpool policy
crypto ipsec security-association pmtu-aging infinite telnet timeout 5
crypto ca trustpool policy ssh stricthostkeycheck
telnet timeout 5 ssh timeout 5
ssh stricthostkeycheck ssh key-exchange group dh-group1-sha1
ssh timeout 5 console timeout 0
ssh key-exchange group dh-group1-sha1 dynamic-access-policy-record DfltAccess
console timeout 0 !
dynamic-access-policy-record DfltAccessPolicy class-map inspection_default
! match default-inspection-traffic
class-map inspection_default !
match default-inspection-traffic !
! policy-map type inspect dns preset_dns_m
! parameters
policy-map type inspect dns preset_dns_map message-length maximum client auto
parameters message-length maximum 512
message-length maximum client auto policy-map type inspect ip-options
message-length maximum 512 UM_STATIC_IP_OPTIONS_MAP
policy-map type inspect ip-options parameters
UM_STATIC_IP_OPTIONS_MAP eool action allow
parameters nop action allow
eool action allow router-alert action allow
nop action allow policy-map global_policy
router-alert action allow class inspection_default
policy-map global_policy inspect dns preset_dns_map
class inspection_default inspect ftp
inspect dns preset_dns_map inspect h323 h225
inspect ftp inspect h323 ras
inspect h323 h225 inspect rsh
inspect h323 ras inspect rtsp
inspect rsh inspect sqlnet
inspect rtsp inspect skinny
inspect sqlnet inspect sunrpc
inspect skinny inspect xdmcp
inspect sunrpc inspect sip
inspect xdmcp inspect netbios
inspect sip inspect tftp
inspect netbios inspect icmp
inspect tftp inspect icmp error
inspect icmp inspect dcerpc
inspect icmp error inspect ip-options UM_STATIC_IP_OPTIO
inspect dcerpc class class-default
inspect ip-options UM_STATIC_IP_OPTIONS_MAP set connection advanced-options UM_ST
class class-default !
set connection advanced-options UM_STATIC_TCP_MAP service-policy global_policy global
! prompt hostname context
service-policy global_policy global call-home
prompt hostname context profile CiscoTAC-1
call-home no active
profile CiscoTAC-1 destination address http
no active https://tools.cisco.com/its/service/oddce/s
destination address http destination address email callhome@cisc
https://tools.cisco.com/its/service/oddce/services/DDCEService destination transport-method http
destination address email [email protected] subscribe-to-alert-group diagnostic
destination transport-method http subscribe-to-alert-group environment
subscribe-to-alert-group diagnostic subscribe-to-alert-group inventory periodi
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration per
subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodi
subscribe-to-alert-group telemetry periodic daily Cryptochecksum:08ed87194e9f5cd9149f
Cryptochecksum:e648f92dd7ef47ee611f2aaa5c6cbd84 : end
: end firepower#
firepower#
Main points to note for the HA break:
Primary Unit Secondary Unit

All failover configuration is removed
All configuration is removed
Standby IP's remain
Step 5. After you finish this task, recreate the HA pair.
Task 6. Disable HA pair

Task requirement:
From the FMC, disable the failover pair.
Solution:
Step 2. Check the notification and confirm as shown in the image.
Step 3. After you delete the HA, both devices are unregistered (removed) from the FMC.
show running-config result from the LINA CLI is as shown in the table here:

: Saved : Saved
: :
: Serial Number: FLM19267A63 : Serial Number: FLM19206H7T
: :
! !
names names
! !
! !
description LAN/STATE Failover Interface description LAN/STATE Failover Interface
! !
nameif Inside nameif Inside
ip address 192.168.75.10 255.255.255.0 standby ip address 192.168.75.10 255.255.255.0
192.168.75.11 192.168.75.11
! !
nameif Outside nameif Outside
ip address 192.168.76.10 255.255.255.0 standby ip address 192.168.76.10 255.255.255.0
192.168.76.11 192.168.76.11
! !
ftp mode passive ftp mode passive
ngips conn-match vlan-id ngips conn-match vlan-id
access-list CSM_FW_ACL_ remark rule-id 268447744: access-list CSM_FW_ACL_ remark rule-i
ACCESS POLICY: FTD9300 - Mandatory/1 ACCESS POLICY: FTD9300 - Mandatory
RULE: Allow_ICMP RULE: Allow_ICMP
access-list CSM_FW_ACL_ advanced permit icmp any any access-list CSM_FW_ACL_ advanced pe
rule-id 268447744 event-log both rule-id 268447744 event-log both
access-list CSM_FW_ACL_ remark rule-id 268441600: access-list CSM_FW_ACL_ remark rule-i
ACCESS POLICY: FTD9300 - Default/1 ACCESS POLICY: FTD9300 - Default/1
RULE: DEFAULT ACTION RULE RULE: DEFAULT ACTION RULE
access-list CSM_FW_ACL_ advanced permit ip any any rule-id access-list CSM_FW_ACL_ advanced pe
268441600 268441600
! !
tcp-map UM_STATIC_TCP_MAP tcp-map UM_STATIC_TCP_MAP
tcp-options range 6 7 allow tcp-options range 6 7 allow
tcp-options range 9 255 allow tcp-options range 9 255 allow
urgent-flag allow urgent-flag allow
! !
no pager no pager
logging enable logging enable
logging timestamp logging timestamp
logging standby logging standby
logging buffer-size 100000 logging buffer-size 100000
logging buffered debugging logging buffered debugging
logging flash-minimum-free 1024 logging flash-minimum-free 1024
logging flash-maximum-allocation 3076 logging flash-maximum-allocation 3076
mtu diagnostic 1500 mtu diagnostic 1500
mtu Inside 1500 mtu Inside 1500
mtu Outside 1500 mtu Outside 1500
failover failover
failover lan unit primary failover lan unit secondary
failover lan interface fover_link Ethernet1/4 failover lan interface fover_link Etherne
failover replication http failover replication http
failover mac address Ethernet1/5 aaaa.bbbb.1111 failover mac address Ethernet1/5 aaaa.
aaaa.bbbb.2222 aaaa.bbbb.2222
failover mac address Ethernet1/6 aaaa.bbbb.3333 failover mac address Ethernet1/6 aaaa.
aaaa.bbbb.4444 aaaa.bbbb.4444
failover link fover_link Ethernet1/4 failover link fover_link Ethernet1/4
failover interface ip fover_link 1.1.1.1 255.255.255.0 failover interface ip fover_link 1.1.1.1 2
standby 1.1.1.2 standby 1.1.1.2
icmp unreachable rate-limit 1 burst-size 1 icmp unreachable rate-limit 1 burst-size 1
no asdm history enable no asdm history enable
arp timeout 14400 arp timeout 14400
no arp permit-nonconnected no arp permit-nonconnected
access-group CSM_FW_ACL_ global access-group CSM_FW_ACL_ global
timeout xlate 3:00:00 timeout xlate 3:00:00
timeout pat-xlate 0:00:30 timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp timeout conn 1:00:00 half-closed 0:10:00
0:02:00 icmp 0:00:02 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp timeout sunrpc 0:10:00 h323 0:05:00 h22
0:05:00 mgcp-pat 0:05:00 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- timeout sip 0:30:00 sip_media 0:02:00 sip
disconnect 0:02:00 disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout sip-provisional-media 0:02:00 uau
timeout tcp-proxy-reassembly 0:00:30 timeout tcp-proxy-reassembly 0:00:30
timeout floating-conn 0:00:00 timeout floating-conn 0:00:00
aaa proxy-limit disable user-identity default-domain LOCAL
no snmp-server location aaa proxy-limit disable
no snmp-server contact no snmp-server location
no snmp-server enable traps snmp authentication linkup no snmp-server contact
linkdown coldstart warmstart no snmp-server enable traps snmp authe
crypto ipsec security-association pmtu-aging infinite linkdown coldstart warmstart
crypto ca trustpool policy crypto ipsec security-association pmtu-ag
telnet timeout 5 crypto ca trustpool policy
ssh stricthostkeycheck telnet timeout 5
ssh timeout 5 ssh stricthostkeycheck
ssh key-exchange group dh-group1-sha1 ssh timeout 5
console timeout 0 ssh key-exchange group dh-group1-sha1
dynamic-access-policy-record DfltAccessPolicy console timeout 0
! dynamic-access-policy-record DfltAccess
class-map inspection_default !
match default-inspection-traffic class-map inspection_default
! match default-inspection-traffic
! !
policy-map type inspect dns preset_dns_map !
policy-map type inspect dns preset_dns_m
parameters
parameters
message-length maximum client auto
message-length maximum client auto
message-length maximum 512
message-length maximum 512
policy-map type inspect ip-options
policy-map type inspect ip-options
UM_STATIC_IP_OPTIONS_MAP
UM_STATIC_IP_OPTIONS_MAP
parameters
parameters
eool action allow
eool action allow
nop action allow
nop action allow
router-alert action allow
router-alert action allow
policy-map global_policy
policy-map global_policy
class inspection_default
class inspection_default
inspect dns preset_dns_map
inspect dns preset_dns_map
inspect ftp
inspect ftp
inspect h323 h225
inspect h323 h225
inspect h323 ras
inspect h323 ras
inspect rsh
inspect rsh
inspect rtsp
inspect rtsp
inspect sqlnet
inspect sqlnet
inspect skinny
inspect skinny
inspect sunrpc
inspect sunrpc
inspect xdmcp
inspect xdmcp
inspect sip
inspect sip
inspect netbios
inspect netbios
inspect tftp
inspect tftp
inspect icmp
inspect icmp
inspect icmp error
inspect icmp error
inspect dcerpc
inspect dcerpc
inspect ip-options UM_STATIC_IP_OPTIONS_MAP
inspect ip-options UM_STATIC_IP_OPTIO
class class-default
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
set connection advanced-options UM_ST
!
!
service-policy global_policy global
service-policy global_policy global
prompt hostname context
prompt hostname context
call-home
call-home
profile CiscoTAC-1
profile CiscoTAC-1
no active
no active
destination address http
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
https://tools.cisco.com/its/service/oddce/s
destination address email [email protected]
destination address email callhome@cisc
destination transport-method http
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group diagnostic
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group inventory periodi
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group configuration per
subscribe-to-alert-group telemetry periodic daily
subscribe-to-alert-group telemetry periodi
Cryptochecksum:933c594fc0264082edc0f24bad358031
Cryptochecksum:e648f92dd7ef47ee611f2
: end
: end
firepower#
firepower#
Step 4. Both FTD devices were unregistered from the FMC:

> show managers
No managers configured.
Main points to note for the Disable HA option in FMC:

The device is removed from the FMC. The device is removed from the FMC.
No configuration is removed from the FTD device No configuration is removed from the FTD device
Step 5. Run this command to remove the failover configuration from the FTD devices:
> configure high-availability disable

High-availability will be disabled. Do you really want to continue?
Please enter 'YES' or 'NO': yes
Successfully disabled high-availability.
Note: You have to run the command on both units
The result:

>show failover
>show failover
Failover Off (pseudo-Standby)
Failover Off
Failover unit Secondary
Failover LAN Interface: FOVER Ethernet1/3.205 (
Failover LAN Interface: not Configured
Unit Poll frequency 1 seconds, holdtime 15 secon
Interface Poll frequency 5 seconds, holdtime 25
Interface Poll frequency 5 seconds, holdtime 25
seconds
seconds
Interface Policy 1
Interface Policy 1
>
>
Primary Secondary
firepower# show run firepower# show run
! !
enable password 8Ry2YjIyt7RRXU24 encrypted enable password 8Ry2YjIyt7RRXU24 encrypted
names names
arp timeout 14400 arp timeout 14400
no arp permit-nonconnected no arp permit-nonconnected
arp rate-limit 16384 arp rate-limit 16384
! !
interface GigabitEthernet1/1 interface GigabitEthernet1/1
nameif outside shutdown
cts manual no nameif
propagate sgt preserve-untag no security-level
policy static sgt disabled trusted no ip address
security-level 0 !
ip address 10.1.1.1 255.255.255.0 <-- standby IP interface GigabitEthernet1/2
was removed shutdown
! no nameif
interface GigabitEthernet1/2 no security-level
nameif inside no ip address
cts manual !
propagate sgt preserve-untag interface GigabitEthernet1/3
policy static sgt disabled trusted description LAN Failover Interface
security-level 0 !
ip address 192.168.1.1 255.255.255.0 <-- standby interface GigabitEthernet1/4
IP was removed description STATE Failover Interface
! !
description LAN Failover Interface shutdown
! no nameif
interface GigabitEthernet1/4 no security-level
description STATE Failover Interface no ip address
! !
shutdown shutdown
no nameif no nameif
no security-level no security-level
! !
shutdown shutdown
no nameif no nameif
! !
shutdown shutdown
no nameif no nameif
! !
interface GigabitEthernet1/8 interface Management1/1
shutdown management-only
no nameif nameif diagnostic
no security-level cts manual
no ip address propagate sgt preserve-untag
! policy static sgt disabled trusted
interface Management1/1 security-level 0
management-only no ip address
nameif diagnostic !
cts manual ftp mode passive
propagate sgt preserve-untag ngips conn-match vlan-id
policy static sgt disabled trusted access-list CSM_FW_ACL_ remark rule-id 9998:
security-level 0 PREFILTER POLICY: Default Tunnel and Priority
no ip address Policy
! access-list CSM_FW_ACL_ remark rule-id 9998:
ftp mode passive RULE: DEFAULT TUNNEL ACTION RULE
ngips conn-match vlan-id access-list CSM_FW_ACL_ advanced permit ipin
access-list CSM_FW_ACL_ remark rule-id 9998: any any rule-id 9998
PREFILTER POLICY: Default Tunnel and Priority access-list CSM_FW_ACL_ advanced permit 41 a
Policy any rule-id 9998
access-list CSM_FW_ACL_ remark rule-id 9998: access-list CSM_FW_ACL_ advanced permit gre
RULE: DEFAULT TUNNEL ACTION RULE any rule-id 9998
access-list CSM_FW_ACL_ advanced permit ipinip access-list CSM_FW_ACL_ advanced permit udp
any any rule-id 9998 any eq 3544 rule-id 9998
access-list CSM_FW_ACL_ advanced permit 41 any access-list CSM_FW_ACL_ remark rule-id 26843
any rule-id 9998 ACCESS POLICY: FTD_HA - Default/1
access-list CSM_FW_ACL_ advanced permit gre any access-list CSM_FW_ACL_ remark rule-id 26843
any rule-id 9998 L4 RULE: DEFAULT ACTION RULE
access-list CSM_FW_ACL_ advanced permit udp any access-list CSM_FW_ACL_ advanced permit ip a
any eq 3544 rule-id 9998 any rule-id 268435456
access-list CSM_FW_ACL_ remark rule-id 268435456: !
ACCESS POLICY: FTD_HA - Default/1 tcp-map UM_STATIC_TCP_MAP
access-list CSM_FW_ACL_ remark rule-id 268435456: tcp-options range 6 7 allow
L4 RULE: DEFAULT ACTION RULE tcp-options range 9 18 allow
access-list CSM_FW_ACL_ advanced permit ip any tcp-options range 20 255 allow
any rule-id 268435456 tcp-options md5 clear
! urgent-flag allow
tcp-map UM_STATIC_TCP_MAP !
tcp-options range 6 7 allow no pager
tcp-options range 9 18 allow logging enable
tcp-options range 20 255 allow logging timestamp
tcp-options md5 clear logging buffered debugging
urgent-flag allow logging flash-minimum-free 1024
! logging flash-maximum-allocation 3076
no pager no logging message 106015
logging enable no logging message 313001
logging timestamp no logging message 313008
logging buffered debugging no logging message 106023
logging flash-minimum-free 1024 no logging message 710005
logging flash-maximum-allocation 3076 no logging message 710003
no logging message 106015 no logging message 106100
no logging message 302013 mtu outside 1500
no logging message 302018 mtu inside 1500
no logging message 302017 mtu diagnostic 1500
no logging message 302016 no failover
no logging message 302021 failover lan unit secondary
no logging message 302020 failover lan interface FOVER GigabitEthernet1
mtu outside 1500 failover replication http
mtu inside 1500 failover link STATE GigabitEthernet1/4
mtu diagnostic 1500 failover interface ip FOVER 1.1.1.1 255.255.255
no failover standby 1.1.1.2
icmp unreachable rate-limit 1 burst-size 1 failover interface ip STATE 2.2.2.1 255.255.255
no asdm history enable standby 2.2.2.2
access-group CSM_FW_ACL_ global icmp unreachable rate-limit 1 burst-size 1
timeout xlate 3:00:00 no asdm history enable
timeout pat-xlate 0:00:30 access-group CSM_FW_ACL_ global
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout xlate 3:00:00
sctp 0:02:00 icmp 0:00:02 timeout pat-xlate 0:00:30
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02
mgcp 0:05:00 mgcp-pat 0:05:00 sctp 0:02:00 icmp 0:00:02
timeout sip 0:30:00 sip_media 0:02:00 sip-invite timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:0
0:03:00 sip-disconnect 0:02:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite
absolute 0:03:00 sip-disconnect 0:02:00
timeout tcp-proxy-reassembly 0:00:30 timeout sip-provisional-media 0:02:00 uauth 0:05:
timeout floating-conn 0:00:00 absolute
timeout conn-holddown 0:00:15 timeout tcp-proxy-reassembly 0:00:30
aaa proxy-limit disable timeout floating-conn 0:00:00
snmp-server host outside 192.168.1.100 community timeout conn-holddown 0:00:15
***** version 2c user-identity default-domain LOCAL
no snmp-server location aaa proxy-limit disable
no snmp-server contact snmp-server host outside 192.168.1.100 commun
snmp-server community ***** ***** version 2c
service sw-reset-button no snmp-server location
crypto ipsec security-association pmtu-aging infinite no snmp-server contact
crypto ca trustpool policy snmp-server community *****
telnet timeout 5 service sw-reset-button
console timeout 0 crypto ipsec security-association pmtu-aging infin
dynamic-access-policy-record DfltAccessPolicy crypto ca trustpool policy
! telnet timeout 5
class-map inspection_default console timeout 0
match default-inspection-traffic dynamic-access-policy-record DfltAccessPolicy
! !
! class-map inspection_default
policy-map type inspect dns preset_dns_map match default-inspection-traffic
parameters !
message-length maximum client auto !
message-length maximum 512 policy-map type inspect dns preset_dns_map
no tcp-inspection parameters
policy-map type inspect ip-options message-length maximum client auto
UM_STATIC_IP_OPTIONS_MAP message-length maximum 512
parameters no tcp-inspection
eool action allow policy-map type inspect ip-options
nop action allow UM_STATIC_IP_OPTIONS_MAP
router-alert action allow parameters
policy-map global_policy eool action allow
class inspection_default nop action allow
inspect dns preset_dns_map router-alert action allow
inspect ftp policy-map global_policy
inspect h323 h225 class inspection_default
inspect h323 ras inspect dns preset_dns_map
inspect rsh inspect ftp
inspect rtsp inspect h323 h225
inspect esmtp inspect h323 ras
inspect sqlnet inspect rsh
inspect skinny inspect rtsp
inspect sunrpc inspect esmtp
inspect xdmcp inspect sqlnet
inspect sip inspect skinny
inspect sunrpc
inspect netbios inspect xdmcp
inspect tftp inspect sip
inspect icmp inspect netbios
inspect icmp error inspect tftp
inspect dcerpc inspect icmp
inspect ip-options UM_STATIC_IP_OPTIONS_MAP inspect icmp error
class class-default inspect dcerpc
set connection advanced-options inspect ip-options UM_STATIC_IP_OPTIONS_M
UM_STATIC_TCP_MAP class class-default
! set connection advanced-options
service-policy global_policy global UM_STATIC_TCP_MAP
prompt hostname context !
call-home service-policy global_policy global
profile CiscoTAC-1 prompt hostname context
no active call-home
destination address http profile CiscoTAC-1
https://tools.cisco.com/its/service/oddce/services/DDC no active
EService destination address http
destination address email [email protected] https://tools.cisco.com/its/service/oddce/services/
destination transport-method http EService
subscribe-to-alert-group diagnostic destination address email [email protected]
subscribe-to-alert-group environment destination transport-method http
subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group diagnostic
subscribe-to-alert-group configuration periodic subscribe-to-alert-group environment
monthly subscribe-to-alert-group inventory periodic mont
subscribe-to-alert-group telemetry periodic daily subscribe-to-alert-group configuration periodic
Cryptochecksum:768a03e90b9d3539773b9d7af66b34 monthly
52 subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ac9b8f401e18491fee653f4cfe0c
Main points to note for the Disable HA from FTD CLI:

Interface configurations are
●
Failover configuration and standby removed

IPs are removed The device goes into Pseudo-
●
Standby mode
Step 6. After you finish the task, register the devices to the FMC and enable HA pair.
Task 7. Suspend HA
Task requirement:
Suspend the HA from the FTD CLISH CLI
Solution:
Step 1. On the Primary FTD, run the command and confirm (type YES).
> configure high-availability suspend
Please ensure that no deployment operation is in progress before suspending high-availability.
Please enter 'YES' to continue if there is no deployment operation in progress and 'NO' if you
wish to abort: YES
Successfully suspended high-availability.
Step 2. Verify the changes on Primary unit:

Failover Off
Interface Policy 1
Step 3. The result on Secondary unit:

Interface Policy 1
Step 4. Resume HA on Primary unit:
> configure high-availability resume

Successfully resumed high-availablity.
> .
No Active mate detected

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
>

Failover On
Interface Policy 1
Step 5. The result on the Secondary unit after you resume HA:
> ..
Detected an Active mate

Beginning configuration replication from mate.
WARNING: Failover is enabled but standby IP address is not configured for this interface.
WARNING: Failover is enabled but standby IP address is not configured for this interface.
End configuration replication from mate.
>

Failover On
Interface Policy 1
>
Frequently Asked Questions (FAQ)
When the configuration is replicated is it saved immediately (line-by-line) or at the end of

the replication?
At the end of the replication. The evidence is at the end of the debug fover sync command output
which shows the config/command replication:
cli_xml_server: frep_write_cmd: Cmd: access-list CSM_FW_ACL_ line 1506 remark rule-id 268442578:
L7 RULE: ACP_Rule_500
cli_xml_server: frep_write_cmd: Cmd: access-list CSM_FW_ACL_ line 1507 advanced permit tcp
object-group group_10 eq 48894 object-group group_10 eq 23470 vlan eq 1392 rule-id 268442578
ACCESS POLICY: mzafeiro_500 - Default
L4 RULE: DEFAULT ACTION RULE
...
cli_xml_server: frep_write_cmd: Cmd: no access-list CSM_FW_ACL_ advanced permit tcp object-group
group_2 eq 32881 object-group group_433 eq 39084 vlan eq 1693 rule-id 268442076
cli_xml_server: frep_write_cmd: Cmd: no access-list CSM_FW_ACL_ line 1510 remark rule-id
268442077: ACCESS POLICY: mzafeiro_ACP1500 - Mandatory
268442077: L7 RULE: ACP_Rule_1500
cli_xml_server: frep_write_cmd: Cmd: no access-list CSM_FW_ACL_ advanced permit tcp object-group
group_6 eq 8988 object-group group_311 eq 32433 vlan eq 619 rule-id 268442077
268440577: ACCESS POLICY: mzafeiro_ACP1500 - Default
268440577: L4 RULE: DEFAULT ACTION RULE
cli_xml_server: frep_write_cmd: Cmd: access-list CSM_FW_ACL_ advanced deny ip any any rule-id
268442078 event-log flow-start
cli_xml_server: frep_write_cmd: Cmd: crypto isakmp nat-traversal
cli_xml_server: frep_write_cmd: Cmd: no object-group network group_311
cli_xml_server: frep_write_cmd: Cmd: write memory <--
What happens if a unit is in pseudo-Standby state (failover disabled) and then you reload it
while the other unit has failover enabled and is Active?
You end up in an Active/Active scenario (although technically is an Active/Failover-off).
Specifically, once the unit comes UP the failover is disabled, but the unit uses the same IPs as the
Active unit. So effectively, you have:
● Unit-1: Active
● Unit-2: failover is off. The unit uses the same data IPs as the Unit-1, but different MAC
addresses.
What happens to the failover configuration if you manually disable the failover (configure
high-availability suspend) and then you reload the device?
When you disable the failover it is not a permanent change (not saved in the startup-config unless
you decide to do this explicitly). Note that you can reboot/reload the unit in 2 different ways and
with the second way you must be careful:
Case 1. Reboot from CLISH
Reboot from CLISH does not ask for confirmation. Thus, the configuration change is not saved
into startup-config:
> configure high-availability suspend

Please ensure that no deployment operation is in progress before suspending high-availability.
Please enter 'YES' to continue if there is no deployment operation in progress and 'NO' if you
wish to abort: YES
Successfully suspended high-availability.
The running config has the failover disabled. In this case the unit was Standby and got into
pseudo-Standby state as expected in order to avoid an Active/Active scenario:
firepower# show failover | include Failover

Failover LAN Interface: FOVER Ethernet1/1 (up)
The startup config has the failover still enabled:
firepower# show startup | include failover

failover
failover lan unit secondary
failover lan interface FOVER Ethernet1/1
failover link FOVER Ethernet1/1
failover interface ip FOVER 192.0.2.1 255.255.255.0 standby 192.0.2.2
failover ipsec pre-shared-key *****
Reboot the device from CLISH (reboot command):
> reboot
This command will reboot the system. Continue?
Please enter 'YES' or 'NO': YES
Broadcast message from root@

Threat Defense System: CMD=-stop, CSP-ID=cisco-ftd.6.2.2.81__ftd_001_JMX2119L05CYRIBVX1, FLAG=''
Cisco FTD stopping ...
Once the unit is UP, since the failover is enabled, the device enters the failover Negotiation phase
and tries to detect the remote peer:
User enable_1 logged in to firepower

Logins over the last 1 days: 1.
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
firepower> .
Detected an Active mate
Case 2. Reboot from LINA CLI

Reboot from LINA (reload command) asks for confirmation. Thus, in case you select [Y]es the
configuration change is saved into startup-config:
firepower# reload
System config has been modified. Save? [Y]es/[N]o: Y <-- Be careful. This will disable the
failover in the startup-config
Cryptochecksum: 31857237 8658f618 3234be7c 854d583a
8781 bytes copied in 0.940 secs

Proceed with reload? [confirm]
firepower# show startup | include failover
no failover
failover lan unit secondary
failover lan interface FOVER Ethernet1/1
failover link FOVER Ethernet1/1
failover interface ip FOVER 192.0.2.1 255.255.255.0 standby 192.0.2.2
failover ipsec pre-shared-key *****
Once the unit is UP the failover is disabled:
firepower# show failover | include Fail

Failover Off
Failover LAN Interface: FOVER Ethernet1/1 (up)
Note: To avoid this scenario ensure that when you are prompted you don't save the changes
to the startup-config.
Related Information
● All versions of the Cisco Firepower Management Center configuration guide can be found
here
https://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-
roadmap.html#id_47280
● All versions of the FXOS Chassis Manager and CLI configuration guides can be found here
https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/roadmap/fxos-roadmap.html#pgfId-
121950
● Cisco Global Technical Assistance Center (TAC) strongly recommends this visual guide for in-
depth practical knowledge on Cisco Firepower Next Generation Security Technologies,
including the ones mentioned in this article.
http://www.ciscopress.com/title/9781587144806
● For all Configuration and Troubleshoot TechNotes that pertains to the Firepower technologies
https://www.cisco.com/c/en/us/support/security/defense-center/tsd-products-support-series-
home.html
● Technical Support & Documentation - Cisco Systems

Configure FTD High Availability On Firepower Appliances: Requirements

Uploaded by

Copyright:

Available Formats

Configure FTD High Availability On Firepower Appliances: Requirements

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configure FTD High Availability On Firepower Appliances: Requirements

Uploaded by

Copyright:

Available Formats

What are the prerequisites for configuring FTD HA?

What are the prerequisites for configuring FTD HA?

What conditions must be met to configure FTD HA between two devices?

What conditions must be met to configure FTD HA between two devices?

Configure FTD High Availability on Firepower

There are no specific requirements for this document.

● 2xCisco Firepower 9300 Security Appliance - FXOS SW 2.0(1.23)

Task 1. Verify Conditions

Verify the FPR9300-1 hardware.

KSEC-FPR9K-1-A# show server inventory

KSEC-FPR9K-2-A# show server inventory

Task 2. Configure FTD HA on FPR9300

Configure Active/Standby failover (HA) as per this diagram.

In order to create an HA between 2 FTD devices, these conditions must be met:

firepower# show chassis-management-url

Note: In post-6.3 FTD use the command 'show chassis detail'

KSEC-FPR9K-1-A# scope system

Step 3. Configure the HA and state the links settings.

Step 4. Configure the Data interfaces (primary and standby IP addresses)

Step 5. Configure the Interface settings as shown in the images.

Ethernet 1/5 interface.

Ethernet 1/6 interface.

Step 7. For the Inside interface as shown in the image.

Step 9. Verify the result as shown in the image.

Step 11. For the Inside Interface is as shown in the image.

Step 13. Verify the result as shown in the image.

Task 3. Verify FTD HA and License

Step 2. From the FTD CLISH CLI, run these commands:

Stateful Failover Logical Update Statistics

Logical Update Queue Information

firepower# show failover state

State Last Failure Reason Date/Time

firepower# show running-config failover

firepower# show running-config interface

Task 4. Switch the Failover Roles

Step 1. Select the icon as shown in the image.

Step 3. Verify the result as shown in the image.

firepower# show failover history

Task 5. Break the HA Pair

Step 1. Select the icon as shown in the image.

Step 2. Check the notification as shown in the image.

Step 3. Note the message as shown in the image.

Before HA Break After HA Break

Main points to note for the HA break:

Primary Unit Secondary Unit

Step 5. After you finish this task, recreate the HA pair.

Task 6. Disable HA pair

From the FMC, disable the failover pair.

Step 1. Select the icon as shown in the image.

Step 2. Check the notification and confirm as shown in the image.

Primary Unit Secondary Unit

Step 4. Both FTD devices were unregistered from the FMC:

Primary Unit Secondary Unit

> configure high-availability disable

Note: You have to run the command on both units

Primary Unit Secondary Unit

Main points to note for the Disable HA from FTD CLI:

Primary Unit Secondary Unit