How to Break a High Availability Pair when Active or Standby Unit has Lost Connectivity

Problem: One of the peers has lost connectivity with Management Center, and the failover link has become non-operational.

Scenario:

Primary Device State

Secondary Device Stat

Primary Device Connectivity with Security Cloud Control?

Secondary Device Connectivity with Security Cloud Control?

Failover link Operational?

(Connectivity between Primary and Secondary devices)

Active

Standby

Yes

No

No

Standby

Active

No

Yes

No

Solution:

First, you can try rectifying the failover interface to restore the communication between the two peers and then perform the break or force break operation to separate the units.

If you cannot repair the connectivity issues of the failover interface, then you must complete additional steps using the device CLI after performing a high availability break operation.

Procedure

Step 1

In the Security Cloud Control navigation bar, click Inventory.

Step 2

Click the Devices tab to locate your device.

Step 3

Click the FTD tab and select the primary device.

Step 4

In the Management pane on the left, click High Availability.

Step 5

Choose Devices > Device Management.

Step 6

Next to the high-availability pair you want to break, click the Break HA .

Step 7

Optionally, you can also check the check box to force break as one of the peers does not respond.

Step 8

Click Yes.

Step 9

Delete the standby device from Security Cloud Control.

  1. Choose Devices > Device Management.

  2. Next to the device you want to delete, click Delete.

Step 10

Connect to the standby device’s CLI, either from the console port or using SSH.

Step 11

Log in with the Admin username and password.

Step 12

Enter configure manager delete to delete the manager.

This command disables the current manager Security Cloud Control.

Step 13

Enter configure high-availability disable to remove the failover configuration and disable the data management interface on the device.

Step 14

Enter configure network management-data-interface.

Example:


configure network management-data-interface
Data interface to use for management: ethernet1/1
Specify a name for the interface [outside]: internet
IP address (manual / dhcp) [dhcp]: manual
IPv4/IPv6 address: 10.10.6.7
Netmask/IPv6 Prefix: 255.255.255.0
Default Gateway: 10.10.6.1
Comma-separated list of DNS servers [none]: 208.67.222.222,208.67.220.220
DDNS server update URL [none]:
Do you wish to clear all the device configuration before applying ? (y/n) [n]:

Configuration done with option to allow FMC access from any network, if you wish to change the FMC access network
use the 'client' option in the command 'configure network management-data-interface'.

Setting IPv4 network configuration.
Network settings changed.

The new newtwork settings are assigned to the data device.

What to do next

You can onboard the device as a standalone device to Security Cloud Control if required.