Symptom
In high availability configuration, FTD monitored interfaces on the active unit might have a Normal (Waiting) state while the standby unit has a Normal(Monitored) state.
firepower# show monitor-interface
This host: Primary - Active
Interface OCHA-INSIDE (192.0.2.1): Normal (Waiting)
Interface OCHA-OUTSIDE (192.0.2.1): Normal (Waiting)
Interface diagnostic (0.0.0.0): Normal (Waiting)
Other host: Secondary - Standby Ready
Interface OCHA-INSIDE (192.0.2.2): Normal (Monitored)
Interface OCHA-OUTSIDE (192.0.2.2): Normal (Monitored)
Interface diagnostic (0.0.0.0): Normal (Waiting)
ASP drop captures on the active unit show the host-move-pkt drop reason:
35: 10:57:39.465567 802.1Q vlan#1234 P0 192.0.2.2 > 192.0.2.1 ip-proto-105, length 44 Drop-reason: (host-move-pkt) FP host move packet, Drop-location: frame 0x00005651a20fc100 flow (NA)/NA
36: 10:57:39.465597 802.1Q vlan#1235 P0 192.0.2.2 > 192.0.2.1 ip-proto-105, length 44 Drop-reason: (host-move-pkt) FP host move packet, Drop-location: frame 0x00005651a20fc100 flow (NA)/NA
Conditions
The symptoms were observed with all of the following conditions in place:
- FTD application running in container mode (multi-instance deployment).
- Transparent firewall mode.
- Monitored port-channel subinterfaces in bridge groups.
Workaround
Configure static Active and Standby MAC addresses under the interface affected, such as:
interface
mac-address XXXX.XXXX.XXXX standby YYYY.YYYY.YYYY
Replace "XXXX.XXXX.XXXX" and "YYYY.YYYY.YYYY" for L2 addresses available to be used.
Further Problem Description
The Normal (Waiting) state means that the interface is up but has not yet received a hello packet from the corresponding interface on the peer unit.
