Replace Secure Firewall Management Center in HA Pair
Available Languages
Introduction
This document describes how to replace a faulty Secure Firewall Management Center in a High Availability (HA) pair.
Prerequisites
Requirements
Cisco recommends you know this topic:
- Cisco Secure Firewall Management Center (FMC)
Components Used
The information in this document is based on these software and hardware versions:
- Cisco Secure Firewall Management Center (FMC) running version 7.2.5 (1) in HA mode
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Configure
Solution 1
Process for Replacing a Faulty Unit with Backup
Step 1: Assign the operational unit as active. For further details, refer to Switching Peers in the Management Center High Availability Pair.
Step 2: Reimage the new unit to match the software version of the active unit. Refer to Reimage a Hardware Model of a Cisco Secure Firewall Management Center for more information.
Step 3: Restore the data backup from the failed unit to the new management center. Navigate to System > Backup/Restore, upload the backup file, and restore it to the new unit.
Step 4: If necessary, update the same version of geolocation database (GeoDB) updates, vulnerability database (VDB) updates, and system software updates as the active unit to ensure consistency.
Step 5: Once updates are complete, both units can display an active status, which can lead to an HA split-brain condition.
Step 6: Proceed to manually set the unit that has been continuously operational as active. This enables it to sync the latest configuration to the replacement unit.
Step 7: Upon successful synchronization, which can take some time, navigate to the web interface of the active unit. Then alter roles, positioning the new unit as the active appliance.
Solution 2
Process for Replacing a Faulty Unit Without Backup
Step 1: Assign the operational unit as active. For further details, refer to Switching Peers in the Management Center High Availability Pair.
Step 2: Reimage the new unit to match the software version of the active unit. REfer to Reimage a Hardware Model of a Cisco Secure Firewall Management Center for more information.
Step 3: If necessary, update the same version of geolocation database (GeoDB) updates, vulnerability database (VDB) updates, and system software updates as the active unit to ensure consistency.
Step 4: Use the web interface of the active management center to break HA. When prompted, select the option to Manage registered devices from this console.
Step 5: Reconfigure the management center HA by configuring the operational management center as the primary and the replacement unit as the secondary. For detailed instructions, see Establishing Management Center High Availability.
Note: When HA is re-established, the latest configuration from the primary management center synchronizes with the secondary management center. Both Classic and Smart Licenses are designed to integrate smoothly.
Verification
Use this section in order to confirm that your configuration works properly.
Once the synchronization is completed, the expected output is Status Healthy and Synchronization OK.
Because this process can take sometime, the Primary and Secondary units are still synchronizing. During this period, make sure to check that your devices are correctly listed on both the Primary and Secondary units.
Additionally, verification via the CLI can be performed. This is achieved by connecting to the CLI, switching to expert mode, elevating privileges, and running these scripts:
fmc1:/Volume/home/admin# troubleshoot_HADC.pl
**************** Troubleshooting Utility ************** 1 Show HA Info Of FMC 2 Execute Sybase DBPing 3 Show Arbiter Status 4 Check Peer Connectivity 5 Print Messages of AQ Task 6 Show FMC HA Operations History (ASC order) 7 Dump To File: FMC HA Operations History (ASC order) 8 Last Successful Periodic Sync Time (When it completed) 9 Print HA Status Messages 10 Compare active and standby device list 11 Check manager status of standby missing devices 12 Check critical PM processes details 13 Help 0 Exit **************************************************************
fmc1:/Volume/home/admin# troubleshoot_HADC.pl **************** Troubleshooting Utility ************** 1 Show HA Info Of FMC
2 Execute Sybase DBPing
3 Show Arbiter Status
4 Check Peer Connectivity
5 Print Messages of AQ Task
6 Show FMC HA Operations History (ASC order)
7 Dump To File: FMC HA Operations History (ASC order)
8 Help
0 Exit **************************************************************
For more detailed information, please see Verify Firepower Mode, Instance, High Availability, and Scalability Configuration.
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.
Related Information
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
29-Apr-2024 |
Initial Release |
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)