Hello everyone,
I recently had the opportunity to use Firepower 4110 appliances for Backup and Restoration tests.
Now, I need someone to back me up on my findings or correct me where I went wrong.
As far as I am concerned, you can create two Backup files. One for the FXOS and one for the FMC.
If an appliance fails and a new one is delivered due to an RMA, I see the following tasks:
- Bootstrap FXOS
- Update FXOS if necessary
- Upload last used FTD image file
- Import last FXOS configuration
FXOS will then go ahead and deploy the FTD device including the Manager Registration.
The device has been registered with FMC beforehand and is still existing, but now marked as Failed/Disabled since all Health Checks fail.
If the new FTD Logical Device is completely deployed, it is unable to contact the FMC. I had a packet capture running and actually saw communication on TCP/8305 between the appliance and the FMC. Encrypted data has been exchanged, but the FMC still claimed that there was no communication from the device.
In order to push them towards eachother, I tried to reapply the Health Policy, ran the checks again and reconfigured the Manager in FTD by hand. Nothing worked.
So, hesistantly, I deleted the existing device from FMC and registered it. This worked fine, but(!) all Device specific configuration was lost. This includes (but is not limited to)
- Interface configuration
- Routing configuration
- Inline Sets
I often read that there is no need to do a device backup, because all information is stored in FMC, but the above content is definately lost, if an appliance is deleted from FMC. But without deletion, there is no Registration.
FMC does not allow to register devices with the same IP address as an existing device.
I tested this with FTD 6.1 and 6.2, FMC patched up to 6.2.2.2.
Did you guys have the same issues? How do you make sure that you can restore a failed device without having to configure IP addresses and routing by hand?
All the best,
Marcus
