Skip to main content

 

 

Cisco Defense Orchestrator

Firepower Threat Defense High Availability Pair Requirements

High Availability Requirements

There are several requirements you must establish before you create a high availability (HA) pair.

Physical and Virtual Device Requirements for HA

The following hardware requirements must be met:

  • The devices must be the same hardware model.
  • The devices must have the same modules installed. For example, if one has an optional network module, then you must install the same network module in the other device.
  • The devices must have the same type and number of interfaces.
  • To create an HA pair in CDO, both devices must have management interfaces configured. If the devices have data interfaces configured, you must create the HA pair through the FDM console, and then onboard the pair to CDO. 

Note: You cannot use an FTD template in an HA pair. 

Software Requirements for HA

The following software requirements must be met for both physical and virtual FTDs:

  • You have two standalone Firepower Threat Defense (FTD) devices onboarded in the Defense Orchestrator.
  • The devices must run the exact same software version, which means the same major (first), minor (second), and maintenance (third) numbers. You can find the version inside the Device Details window on the Devices page, or you can use the show version command in the CLI.

Note: Devices with different versions are allowed to join, but the configuration is not imported into the standby unit and failover is not functional until you upgrade the units to the same software version.

  • Both devices must be in local manager mode, that is, configured using Firepower Device Manager (FDM). If you can log into FDM on both devices, they are in local manager mode. You can also use the show managers command in the CLI to verify.
  • You must complete the initial setup wizard for each device before onboarding to CDO. 
  • Each device must have its own management IP address. The configuration for the management interface is not synchronized between the devices.
  • The devices must have the same NTP configuration.
  • You cannot configure any interface to obtain its address using DHCP. That is, all interfaces must have static IP addresses.
    Note: If you change any interface configurations, you must deploy the changes to the device before establishing HA. 
  • Both devices must be synced. If you have pending changes or conflicts detected, see Resolve Configuration Conflicts and Resolve Configuration Conflicts for more information. 

Smart License Requirements for HA

The following license requirements must be met for both physical and virtual FTDs:

  • Both devices in an HA pair must have either a registered license, or an evaluation license. If the devices are registered, they can be registered to different Cisco Smart Software Manager accounts, but the accounts must have the same state for the export-controlled functionality setting, either both enabled or both disabled. However, it does not matter if you have enabled different optional licenses on the devices.
  • Both devices within the HA pair must have the same licenses during operation. It is possible to be in compliance on one device, but out of compliance on the other if there are insufficient licenses. If your Smart Licenses account does not include enough purchased entitlements, your account becomes Out-of-Compliance (even though one of the devices may be compliant) until you purchase the correct number of licenses.

Note that if the device is in evaluation mode, you must ensure that the registration status for Cisco Defense Orchestrator is the same on the devices. You must also ensure that your selection for participation in the Cisco Success Network is the same. For registered devices, the settings can be different on the units, but whatever is configured on the primary (active) device will either register or unregister the secondary. An agreement to participate in the Cisco Success Network on the primary implies an agreement for the secondary.

If you register the devices to accounts that have different settings for export controlled features, or try to create an HA pair with one unit registered and the other in evaluation mode, the HA join might fail. If you configure an IPsec encryption key with inconsistent settings for export controlled features, both devices will become active after you activate HA. This will impact routing on the supported network segments, and you will have to manually break HA on the secondary unit to recover.

Related Articles: