OPERATIONAL DEFECT DATABASE
...
...
In high availability configuration, FTD monitored interfaces on the active unit might have a Normal (Waiting) state while the standby unit has a Normal(Monitored) state. firepower# show monitor-interface This host: Primary - Active Interface OCHA-INSIDE (192.0.2.1): Normal (Waiting) Interface OCHA-OUTSIDE (192.0.2.1): Normal (Waiting) Interface diagnostic (0.0.0.0): Normal (Waiting) Other host: Secondary - Standby Ready Interface OCHA-INSIDE (192.0.2.2): Normal (Monitored) Interface OCHA-OUTSIDE (192.0.2.2): Normal (Monitored) Interface diagnostic (0.0.0.0): Normal (Waiting) ASP drop captures on the active unit show the host-move-pkt drop reason: 35: 10:57:39.465567 802.1Q vlan#1234 P0 192.0.2.2 > 192.0.2.1 ip-proto-105, length 44 Drop-reason: (host-move-pkt) FP host move packet, Drop-location: frame 0x00005651a20fc100 flow (NA)/NA 36: 10:57:39.465597 802.1Q vlan#1235 P0 192.0.2.2 > 192.0.2.1 ip-proto-105, length 44 Drop-reason: (host-move-pkt) FP host move packet, Drop-location: frame 0x00005651a20fc100 flow (NA)/NA
The symptoms were observed with all of the following conditions in place: - FTD application running in container mode (multi-instance deployment). - Transparent firewall mode. - Monitored port-channel subinterfaces in bridge groups.
Configure static Active and Standby MAC addresses under the interface affected, such as: interface mac-address XXXX.XXXX.XXXX standby YYYY.YYYY.YYYY Replace "XXXX.XXXX.XXXX" and "YYYY.YYYY.YYYY" for L2 addresses available to be used.
The Normal (Waiting) state means that the interface is up but has not yet received a hello packet from the corresponding interface on the peer unit.
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
