How to Break a High Availability Pair in Active-Active State

Both units in a remote deployment are in an active-active state because the failover interface became non-operational and they stopped receiving a response on their data interfaces. In this case, both units use the active IP address on their data management interface, which results in an unstable network between the units and CDO.

You can determine if the units are both in active mode by logging into the device CLI and using the “show failover state” command on both units. The device status of both units shows ‘active’, and the same active IP address is assigned to both units.

Note

You can try rectifying the failover interface to restore the communication between the two peers and then perform the Force Break operation.

If you cannot repair the connectivity issues of the failover interface, then perform the following steps:

Procedure

Step 1

Identify a device you want to remove from the network among the two units.

Step 2

Connect to the CLI of the identified device, either from the console port or using SSH.

Step 3

Log in with the Admin username and password.

Step 4

Enter the pmtool disablebyid sftunnel command.

Note

Only use pmtool commands under the direction of the Cisco Technical Assistance Center.

Step 5

Disconnect all the interfaces from the device you want to remove from the network.

Step 6

Enter configure network management-data-interface ipv4 manual ip_address ipv4_netmask gateway_ip_address interface interface_id command.

In ip_addressspecify the IP address of the standby device.

Example:


Configure network management-data-interface ipv4 manual 10.10.6.7 255.255.255.0 interface gig0/0     
Configuration updated successfully..!!

Step 7

Enter configure high-availability suspend to suspend HA.


configure high-availability suspend
Please ensure that no deployment operation is in progress before suspending
high-availability.
Please enter 'YES' to continue if there is no deployment operation in
progress and 'NO' if you wish to abort: YES
Successfully suspended high-availability.

Step 8

In the CDO navigation bar, click Inventory.

Step 9

Click the Devices tab to locate your device.

Step 10

Click the FTD tab and select the primary device.

Step 11

In the Management pane on the left, click High Availability.

Step 12

Choose Device > Device Management.

Step 13

Next to the high availability pair where you want to separate the high availability pair, click Force Break.

A message is displayed that the high-availability pair is separated successfully.

Step 14

Connect all the interfaces to the device.

Step 15

At the FTD CLI, enter pmtool enablebyId sftunnel.

The threat defense device establishes its connection with CDO in sometime.

Note

It may take up to 5 minutes for the device to establish communication with CDO.

Step 16

Enter the sftunnel-status-brief command to view the management connection status.


sftunnel-status-brief
PEER:10.10.17.202
Registration: Completed.
Connection to peer '10.10.17.202' Attempted at Wed Feb 9 09:21:57 2020 UTC
Last disconnect time : Wed Feb 9 09:19:09 2020 UTC

Step 17

Choose Deploy > Deployment to deploy the changes.

Before the CDO deploys the changes, it will detect the configuration differences and stop the deployment. CDO detects the IP address change made to the device outside of the Cisco Defense Orchestrator.

Step 18

Synchronize interface changes with CDO. See Sync Interface Changes with the Management Center.

Step 19

You can now deploy the pending changes to the device. See Deploy configuration changes..

The device now becomes a standalone device with a new the IP address of the standby device.

What to do next

(optional) Deploy any pending changes to the other device having the IP address of the active device.