Skip to main content



Cisco Defense Orchestrator

Break an FTD High Availability Pairing

When you break HA, the configured interfaces on the standby device are automatically disabled. The devices may experience a disruption in traffic during this process. After the HA pair is successfully removed you will be redirected from the status page to the High Availability page where you will have the option to create another HA pair with the same primary device. 

Note: You cannot deploy to either of the devices until the HA pair is successfully removed.

Break HA with Management Interfaces

When you break HA for a pair that is configure with management interfaces, the break may take 10 minutes or longer to complete and both devices go offline during this process. When the HA configuration is successfully removed, CDO displays both units as standalone devices in the Services & Devices page.

Break HA with Data Interfaces

When you break HA for a pair that is configured with data interfaces, the break may take 20 minutes or more to complete and both of the devices go offline. you must manually reconnect the active device after the HA configuration is removed. 

The standby device retains the HA configuration, though, and will become unreachable since it has the same configuration as the active device. You must manually reconfigure the IP interfaces outside of CDO, and then re-onboard the device as a standalone. 

Break High Availability

Use the following procedure to remove the HA pairing of two FTD devices:

  1. In the navigation bar, click Devices & Services and select the active device of the FTD HA pair.
  2. In the Management pane, click High Availability.
  3. Click Break High Availability
  4. CDO removes the HA configuration and both devices are displayed as standalone devices in the Devices & Services page. 
  5. Deploy Configuration Changes from Defense Orchestrator to FTD to deploy the new configuration to both devices.
  6. Review and deploy the changes you made to the active device now, or wait and deploy multiple changes at once. 

Break Out-of-Band High Availability

If you break an FTD HA pair using the Firepower Device Manager (FDM) interface, the configuration status of the HA pair in CDO changes to Conflict Detected. After you break HA, you must deploy the changes to the primary device through FDM and then resolve the Conflict Detected state in CDO. 

After the device is back in the Synced state, you can deploy configuration changes made in CDO to the device. 

We do not recommend reverting changes from CDO after breaking HA using the FDM interface.


Related Articles

  • Was this article helpful?