Configure Cluster Serviceability Improvements in Firewall Management Center 7.4
Available Languages
Contents
Introduction
This document describes how you can use serviceability improvements in FMC 7.4
What’s New
- Cluster Control Link (CCL) link diagnostics and assistance with ensuring settings are correct.
- Cluster Lina CLIs can now be seen in Firewall Management Center (FMC).
- Troubleshoot Generation
- Can now be generated all at once for all devices in a cluster.
- Troubleshoot generation is automatic if a node fails to join a cluster.
- Troubleshoot generation and navigation from the Devices > Cluster/Device tab.
Prerequisites, Supported Platforms, Licensing
Minimum Software & Hardware Platforms
|
Application and Minimum Version |
Managed Devices |
Min Supported Managed Device Version Required |
Notes |
|
Secure Firewall 7.4 |
All which support clustering on FTD Only "Generation of Troubleshoots" enhancement requires FTD version to be 7.4 and higher |
• FMC On-Prem + FMC REST API • cloud-delivered FMC |
This is an FMC feature, so configuration can be applied to any device that FMC 7.4 can manage. |
Components Used
The information in this document is based on these software and hardware versions:
- Cisco Firewall Management Center (FMC) running 7.4
- Cisco Firepower Threat Defense (FTD) running 7.4 or higher.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
CCL Link Diagnostics
Cluster Control Link Interface MTU Warning in the Cluster Summary Page
Problem
- Clustering requires a higher MTU for the cluster control link than data interfaces.
- You often do not set the MTU to a high enough value, which causes reliability issues.
- Recommendation is CCL MTU must be 100 or 154 bytes more than the maximum data interface MTU, based on the platform, to sync the cluster state across the nodes.
CCL MTU = (Maximum Data Interface MTU) + 100 |154
For example, for an FTDv device, if 1700 bytes is the maximum data interface MTU, then the value of CCL interface MTU would be set as 1854:
1854 = 1700 + 154
MTU Size Recommendations Per Platform
|
Platform |
Sample maximum Data Interface MTU |
Add |
Total Recommended Setting for MTU for CCL Link |
|
Sec FW 3100 Series |
1700 |
100 |
1800 |
|
FTDv |
1700 |
154 |
1854 |
Solution
- When a cluster is created, the MTU value for the CCL link is automatically set to the recommended value on the interface.
Make the switch side configuration to match this value. - Sample warning message:
Clustering requires a higher MTU for the cluster control link. The maximum current data interface MTU is 1500 bytes; the recommended cluster control link MTU is 1654 bytes or higher. Before proceeding, make sure connected switches match the MTUs for data interfaces and the cluster control link, otherwise the cluster formation would fail. - If the switch side configuration for CCL interface does not match this value, the device fails to join the cluster.
CCL Ping Test in Cluster Live Status
Check CCL Connectivity
- Need for user provision to verify the CCL connectivity with CCL MTU packet size
Solution
Added CCL MTU Sizes for Public Cloud
AWS and Azure Cluster MTU Values
There are new recommended CCL and data interface MTU values for 7.4 public cloud FTDv clusters.
|
Recommended CCL MTU in 7.3 |
Recommended CCL MTU in 7.4 |
Recommended Data interface MTU in 7.3 |
Recommended Data interface MTU in 7.4 |
|
|
Azure NLB cluster |
1554 |
1454 |
1400 |
1300 |
|
Azure GWLB cluster |
1554 |
1454 |
1454 |
1374 |
|
AWS GWLB cluster |
1960 |
1980 |
1806 |
1826 |
FMC updates the CCL and data interface MTU to recommended values after upgrade of a cluster to 7.4 version.
CLIs Available in FMC
Device Lina CLI Prompt Available in Device/Cluster Tab
Run Cluster Lina CLIs from FMC
- It is now possible to execute cluster LINA troubleshoot CLIs from FMC.
Commonly Used CLIs Shown by Default
Predefined Cluster CLIs
- The CLIs which are run by default are:
show running-config cluster
show cluster info
show cluster info health
show cluster info transport cp
show version
show asp drop
show counters
show arp
show int ip brief
show blocks
show cpu detailed
show interface <ccl_interface>
ping <ccl_ip> size <ccl_mtu> repeat 2
Manual Entry of Commands Available
Generation of Troubleshoots
Automatic Troubleshoot Generation on Node Join Failure
- When a node fails to join the cluster, a device Troubleshoot is automatically generated.
- A notification is shown in Task Manager.
Troubleshoot Trigger and Download Button Available in Device and Cluster Tabs
Easier Generation of Cluster Troubleshoots
Cluster Troubleshoot Generation
Node (Device) Troubleshoot Generation
Notification of Cluster Troubleshoot Generation Complete
The Task manager shows the progress of the troubleshoot generation for each node in the cluster. Wait for that before clicking Download.
Q & A
Q: In Azure it reduced but increased in AWS for MTU?
A: For the new MTU values in public clouds, in Azure the recommended MTU is reduced, but it is increased in AWS.
Q: During Upgrade if MTU is changed automatically - is there a Syslog entry?
A: No, there is no Syslog entry made at this time. We can relook at it if this is needed.
Q: Where is the MTU value of each node shown?
A: Show the MTU value as a column on the device management > interfaces page, on the cluster tab.
Q: Is this failure showing because Switch is not set, or the other node is not set?
A: No, it is a warning message as precaution which is displayed all the time to user.
Q: Which command - show cluster - shows the MTU size?
A: CCL ping is in the default and shows in the CLI defaults.
Q: In case of AWS, can we document the steps on how to increase the MTU on switch?
A: For tech pubs to check.
Q: For HW - you only listed 3100 series -what about 4K/9K/2K/1K?
A: Clustering on 9300, 4100, 3100 and virtual only. 3100 can be done from FMC, but 4100 and 9300 clusters are done in the chassis manager, not FMC.
Q: Do you have to deploy from the FMC for the changes to take effect, post-device upgrade?
A: Yes, need to deploy after upgrade. You must use the recommended MTU values.
Q: Are we providing any warning message to user that MTU is changed, as if FTD is middle of path where GRE tunnel build, would user see the tunnel flapping or went down?
A: It is in the documentation. Can work on warning message. Nodes wiould adjust to control node. Switch would have to be adjusted to the new values. Value is changed after control node is upgraded. MTU value is sent by control.
Q: Are we going to reboot the FTD device if post upgrade we are changing the MTU?
A: No explicit reboot is triggered on FTD on upgrade when MTU values are changed.
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
|
2.0
|
17-Jul-2024
|
Added Alt Text. Updated Formatting.
|
|
1.0
|
17-Jul-2024
|
Initial Release
|
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
22-Jul-2024 |
Initial Release |
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)