Troubleshoot Management Connectivity on a Data Interface in a High Availability Pair

This topic helps you troubleshoot the loss of management connectivity on a data interface in High Availability.

Model SupportThreat Defense

The management connection between the active peer and the CDO can be disrupted due to the following reasons:

  • Data interface used for management on the Active unit has connectivity issues.

    You should manually fail over to the standby unit and then configure a new data interface for CDO access.

  • Internet Service Provider has changed.

    You should manually update the new network details on the active unit using the CLI commands to restore the device connectivity with CDO .

Data Management Interface on Active unit has Connectivity Issues

  1. In CDO, manually switch the active unit to standby. See Switch the Active Peer in the Threat Defense High Availability Pair.

    Alternatively, you can run the no failover active command on the active unit.

    The standby device becomes the new active device in the high availability pair and establishes communication with CDO.

  2. Next to the device high-availability pair you want to edit, click Edit ().

  3. Choose Routing > Static Route and delete the static route defined for the old data management interface.

  4. Click the Interfaces tab, and make the following changes.

    1. Remove the IP address and name from the old data management interface, and disable CDO Access for this interface.

      Note

      Before removing the old data management interface information, remember the details if you want to use the same information.

      1. Click the Edit () next to the interface you want to remove.

      2. Clear the content in the Name field.

      3. Uncheck the Enabled checkbox.

      4. In the IPv4 or IPv6 tab, remove the active address.

      5. In the Firewall Management Center Access tab, uncheck Enable management on this interface for the Firepower Management Center.

      6. Click OK.

      7. Click Yes to confirm the changes.

    2. Configure the new data management interface with the settings of the old interface (the ones you used at the CLI), and enable CDO Access for it.

      1. Click Edit () next to the data interface you want for handling management traffic.

      2. In the Name field, specify a name for the interface.

      3. Check the Enabled checkbox.

      4. In the IPv4 or IPv6 tab, specify the active address.

      5. In the Firewall Management Center Access tab, check Enable management on this interface for the Firepower Management Center.

      6. Click OK.

      7. Click Yes to confirm the changes.

  5. Click the High Availability tab, and make the following changes.

    1. In the Monitored Interfaces area, click the Edit () next to the new data management interface.

      The Active IP Address shows the active device's IP address.

    2. On the IPv4 tab, enter the Standby IP Address and Gateway address.

    3. If you configured the IPv6 address manually, on the IPv6 tab, click Edit () next to the active IP address, enter the Standby IP Address, and click OK.

    4. Click OK.

  6. Click Save at the top-right corner to save the changes.

  7. Choose Routing > Static Route and add the static route defined for the new data management interface. The new data interface appears in the Interface list.

  8. Click Save at the top-right corner to save the changes.

  9. Deploy configuration changes..

  10. When the deployment completes around 90 percent, the new management interface takes effect. At this stage, you must re-cable the FTD so that the CDO reaches FTD on the new interface and completes the deployment successfully.

    Note

    After you re-cable, the deployment may fail if it timed out before re-establishing the management connection to the new interface. In that case, you must reinitiate the deployment after re-cabling for a successful deployment.

  11. Ensure the management connection is reestablished.

    In Management Center, check the management connection status on the Devices > Device Management > Device > Management > FMC Access Details > Connection Status page.

    Alternatively, at the FTD CLI, enter the sftunnel-status-brief command to view the management connection status.

Internet Service Provider has Changed

If you have changed your ISP, you can lose management connectivity, even though High Availability health is normal. Configure the new network details of the management interface using the CLI commands.

Note

These commands are available only on the active unit and not on standby.

For information about the threat defense CLI, see the FTD command reference.

  1. Connect to the device CLI.

    You should use the console port when using these commands. If you are editing the configuration due to a disrupted management connection, and you have SSH access to the dedicated Management interface, then you can use that SSH connection.

    See Log Into the Command Line Interface on the Device.

  2. Log in with the Admin username and password.

  3. Use one of the following commands depending on the network value you want to update:

    • configure network management-data-interface ipv4 manual ip_address ip_netmask interface interface_id

    • configure network management-data-interface ipv4 gateway_ip interface interface_id

    • configure network management-data-interface ipv4 manual ip_address ipv4_netmask gateway_ip interface interface_id

    Example:

    Configure network management-data-interface ipv4 manual 10.10.6.7 255.255.255.0 interface gig0/0
Configuration updated successfully..!!
    Note

    All other CLI commands of configure network management-data-interface are not supported on devices in a High Availability pair.

    The configuration is automatically pushed to the standby device.

  4. Optional:Limit data interface access to CDO on a specific network.

    configure network management-data-interface client ip_address netmask

    By default, all networks are allowed.

  5. Check that the management connection was reestablished.

    sftunnel-status-brief

    See the following sample output for a connection that is up, with peer channel and heartbeat information shown:

    
> sftunnel-status-brief
PEER:10.10.17.202
Peer channel Channel-A is valid type (CONTROL), using 'eth0', connected to '10.10.17.202' via '10.10.17.222'
Peer channel Channel-B is valid type (EVENT), using 'eth0', connected to '10.10.17.202' via '10.10.17.222'
Registration: Completed.
IPv4 Connection to peer '10.10.17.202' Start Time: Wed Jun 10 14:27:12 2020 UTC
Heartbeat Send Time: Mon Jun 15 09:02:08 2020 UTC
Heartbeat Received Time: Mon Jun 15 09:02:16 2020 UTC

  6. In CDO, click Inventory > FTD.

  7. Select your threat defense and in the Management pane on the right, click Device Summary.

  8. In Management > FMC Access Details, click Refresh.

    The CDO detects the interface and default route configuration changes, and blocks deployment to the FTD. When you change the data interface settings locally on the device, you must reconcile those changes in CDO manually. You can view the discrepancies between CDO and the threat defense on the Configuration tab.

  9. Return to the FMC Access Details dialog box, and click Acknowledge to remove the deployment block.

    The next time you deploy, the CDO configuration will overwrite any remaining conflicting settings on the FTD. It is your responsibility to manually fix the configuration in the CDO before you re-deploy.

    You will see expected messages of "Config was cleared” and “FMC Access changed and acknowledged.”

    The configuration change made on the active unit is automatically pushed to standby. Once the CDO restores its connectivity with the active unit, CDO updates the standby IP address.