About Firepower Management Center High Availability
To ensure the continuity of operations, the high availability feature allows you to designate redundant Firepower Management Centers to manage devices. Firepower Management Centers support Active/Standby high availability where one appliance is the active unit and manages devices. The standby unit does not actively manage devices. The active unit writes configuration data into a data store and replicates data for both units, using synchronization where necessary to share some information with the standby unit.
Active/Standby high availability lets you configure a secondary Firepower Management Center to take over the functionality of a primary Firepower Management Center if the primary fails. When the primary Firepower Management Center fails, you must promote the secondary Firepower Management Center to become the active unit.
Event data streams from managed devices to both Firepower Management Centers in the high availability pair. If one Firepower Management Center fails, you can monitor your network without interruption using the other Firepower Management Center.
Note that Firepower Management Centers configured as a high availability pair do not need to be on the same trusted management network, nor do they have to be in the same geographic location.
Caution |
Because the system restricts some functionality to the active Firepower Management Center, if that appliance fails, you must promote the standby Firepower Management Center to active. |
About Remote Access VPN High Availability
If the primary device has Remote Access VPN configuration with an identity certificate enrolled using a CertEnrollment object, the secondary device must have an identity certificate enrolled using the same CertEnrollment object. The CertEnrollment object can have different values for the primary and secondary devices due to device-specific overriddes. The limitation is only to have the same CertEnrollment object enrolled on the two devices before the high availability formation.
SNMP Behavior in Firepower Management Center High Availability
In an SNMP-configured HA pair, when you deploy an alert policy, the primary Firepower Management Center sends the SNMP traps. When the primary Firepower Management Center fails, the secondary Firepower Management Center, which becomes the active unit, sends the SNMP traps without the need for any additional configuration.
Roles v. Status in Firepower Management Center High Availability
Primary/Secondary Roles
When setting up Firepower Management Centers in a high availability pair, you configure one Firepower Management Center to be primary and the other as secondary. During configuration, the primary unit's policies are synchronized to the secondary unit. After this synchronization, the primary Firepower Management Center becomes the active peer, while the secondary Firepower Management Center becomes the standby peer, and the two units act as a single appliance for managed device and policy configuration.
Active/Standby Status
The main differences between the two Firepower Management Centers in a high availability pair are related to which peer is active and which peer is standby. The active Firepower Management Center remains fully functional, where you can manage devices and policies. On the standby Firepower Management Center, functionality is hidden; you cannot make any configuration changes.
Event Processing on Firepower Management Center High Availability Pairs
Since both Firepower Management Centers in a high availability pair receive events from managed devices, the management IP addresses for the appliances are not shared. This means that you do not need to intervene to ensure continuous processing of events if a Firepower Management Center fails.
AMP Cloud Connections and Malware Information
Although they share file policies and related configurations, Firepower Management Centers in a high availability pair share neither Cisco AMP cloud connections nor malware dispositions. To ensure continuity of operations, and to ensure that detected files’ malware dispositions are the same on both Firepower Management Centers, both primary and secondary Firepower Management Centers must have access to the AMP cloud.
URL Filtering and Security Intelligence
URL filtering and Security Intelligence configurations and information are synchronized between Firepower Management Centers in a high availability deployment. However, only the primary Firepower Management Center downloads URL category and reputation data for updates to Security Intelligence feeds.
If the primary Firepower Management Center fails, not only must you make sure that the secondary Firepower Management Center can access the internet to update threat intelligence data, but you must also use the web interface on the secondary Firepower Management Center to promote it to active.
User Data Processing During Firepower Management Center Failover
If the primary Firepower Management Center fails, the Secondary Firepower Management Center propagates to managed devices user-to-IP mappings from the TS Agent identity source; and propagates SGT mappings from the ISE/ISE-PIC identity source. Users not yet seen by identity sources are identified as Unknown.
After the downtime, the Unknown users are re identified and processed according to the rules in your identity policy.
Configuration Management on Firepower Management Center High Availability Pairs
In a high availability deployment, only the active Firepower Management Center can manage devices and apply policies. Both Firepower Management Centers remain in a state of continuous synchronization.
If the active Firepower Management Center fails, the high availability pair enters a degraded state until you manually promote the standby appliance to the active state. Once the promotion is complete, the appliances leave maintenance mode.
Threat Intelligence Director and High Availability Configurations
If you host TID on the active Firepower Management Center in a high availability configuration, the system does not synchronize TID configurations and TID data to the standby Firepower Management Center. We recommend performing regular backups of TID data on your active Firepower Management Center so that you can restore the data after failover.
For details, see About Backing Up and Restoring TID Data.
Single Sign-On and High Availability Pairs
FMCs in a high availability configuration can support Single Sign-On, but you must keep the following considerations in mind:
-
SSO configuration is not synchronized between the members of the high availability pair; you must configure SSO separately on each member of the pair.
-
Both FMCs in a high availability pari must use the same identity provider (IdP) for SSO. You must configure a service provider application at the IdP for each FMC configured for SSO.
-
In a high availabilty pair of FMCs where both are configured to support SSO, before a user can use SSO to access the secondary FMC for the first time, that user must first use SSO to log into the primary FMC at least once.
-
When configuring SSO for FMCs in a high availability pair:
-
If you configure SSO on the primary FMC, you are not required to configure SSO on the secondary FMC.
-
If you configure SSO on the secondary FMC, you are required to configure SSO on the primary FMC as well. (This is because SSO users must log in to the primary FMC at least once before logging into the secondary FMC.)
-
Firepower Management Center High Availability Behavior During a Backup
When you perform a Backup on a Firepower Management Center high availability pair, the Backup operation pauses synchronization between the peers. During this operation, you may continue using the active Firepower Management Center, but not the standby peer.
After Backup is completed, synchronization resumes, which briefly disables processes on the active peer. During this pause, the High Availability page briefly displays a holding page until all processes resume.
Firepower Management Center High Availability Split-Brain
If the active Firepower Management Center in a high-availability pair goes down (due to power issues, network/connectivity issues), you can promote the standby Firepower Management Center to an active state. When the original active peer comes up, both peers can assume they are active. This state is defined as 'split-brain'. When this situation occurs, the system prompts you to choose an active appliance, which demotes the other appliance to standby.
If the active Firepower Management Center goes down (or disconnects due to a network failure), you may either break high availability or switch roles. The standby Firepower Management Center enters a degraded state.
Note |
Whichever appliance you use as the secondary loses all of its device registrations and policy configurations when you resolve split-brain. For example, you would lose modifications to any policies that existed on the secondary but not on the primary. If the Firepower Management Center is in a high availability split-brain scenario where both appliances are active, and you register managed devices and deploy policies before you resolve split-brain, you must export any policies and unregister any managed devices from the intended standby Firepower Management Center before re-establishing high availability. You may then register the managed devices and import the policies to the intended active Firepower Management Center. |
Upgrading Firepower Management Centers in a High Availability Pair
Cisco electronically distributes several different types of updates periodically. These include major and minor upgrades to the system software. You may need to install these updates on Firepower Management Centers in a high availability setup.
Warning |
Make sure that there is at least one operational Firepower Management Center during an upgrade. |
Before you begin
Read the release notes or advisory text that accompanies the upgrade. The release notes provide important information, including supported platforms, compatibility, prerequisites, warnings, and specific installation and uninstallation instructions.
Procedure
Step 1 |
Access the web interface of the active Firepower Management Center and pause data synchronization; see Pausing Communication Between Paired Firepower Management Centers. |
Step 2 |
Upgrade the standby Firepower Management Center; see the upgrade guide. |
Step 3 |
Upgrade the other Firepower Management Center. |
Step 4 |
Decide which Firepower Management Center you want to use as the standby. Any additional devices or policies added to the standby after pausing synchronization are not synced to the active Firepower Management Center. Unregister only those additional devices and export any configurations you want to preserve. When you choose a new active Firepower Management Center, the Firepower Management Center you designate as secondary will lose device registrations and deployed policy configurations, which are not synced. |
Step 5 |
Resolve split-brain by choosing the new active Firepower Management Center which has all the latest required configurations for policies and devices. |
Troubleshooting Firepower Management Center High Availability
This section lists troubleshooting information for some common Firepower Management Center high availability operation errors.
Error |
Description |
Solution |
||
---|---|---|---|---|
You must reset your password on the active Firepower Management Center before you can log into the standby |
You attempted to log into the standby FMC when a force password reset is enabled for your account. |
As the database is read-only for a standby FMC, reset the password on the login page of the active FMC. |
||
500 Internal |
May appear when attempting to access the web interface while performing critical Firepower Management Center high availability operations, including switching peer roles or pausing and resuming synchronization. |
Wait until the operation completes before using the web interface. |
||
System processes are starting, please wait Also, the web interface does not respond. |
May appear when the Firepower Management Center reboots (manually or while recovering from a power down) during a high availability or data synchronization operation. |
|