Skip to main content

 

 

Cisco Defense Orchestrator

Break a Firepower Threat Defense High Availability Pairing

When you break HA, the configured interfaces on the standby device are automatically disabled. The devices may experience a disruption in traffic during this process. After the HA pair is successfully removed you will be redirected from the status page to the High Availability page where you will have the option to create another HA pair with the same primary device. 

Note: You cannot deploy to either of the devices until the HA pair is successfully removed.

Break HA with Management Interfaces

When you break HA for a pair that is configure with management interfaces, the break may take 10 minutes or longer to complete and both devices go offline during this process. When the HA configuration is successfully removed, CDO displays both units as standalone devices in the Services & Devices page.

Break HA with Data Interfaces

When you break HA for a pair that is configured with data interfaces, the break may take 20 minutes or more to complete and both of the devices go offline. you must manually reconnect the active device after the HA configuration is removed. 

The standby device retains the HA configuration, though, and will become unreachable since it has the same configuration as the active device. You must manually reconfigure the IP interfaces outside of CDO, and then re-onboard the device as a standalone. 

Break High Availability

Use the following procedure to remove the HA pairing of two FTD devices:

  1. In the navigation bar, click Devices & Services and select the active device of the FTD HA pair.
  2. In the Management pane, click High Availability.
  3. Click Break High Availability
  4. CDO removes the HA configuration and both devices are displayed as standalone devices in the Devices & Services page. 
  5. Deploy Configuration Changes from Defense Orchestrator to FTD to deploy the new configuration to both devices.

Break Out-of-Bound High Availability

If you break an FTD HA pair through the FDM console, the HA pair develops a Conflict detected status. After you break HA, you must deploy policy to the primary device through FDM and then Read Configuration Changes from FTD to Defense Orchestrator. You cannot deploy deploy configuration from CDO until the device is synched. 

We do not recommend reverting changes from CDO after breaking HA from the FDM console

 

Related Articles:

  • Was this article helpful?