Troubleshoot Interface Status Mismatch Between FMC GUI and Secondary FTD CLI in High Availability Configuration

Available Languages

Download Options

  • PDF     (21.6 KB)
    View with Adobe Reader on a variety of devices
Updated:May 6, 2026
Document ID:225853

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

Issue

After disabling the data interfaces of the Secure Firewall Threat Defense Virtual (FTDv) in high availability (HA, or failover) configuration in the Secure Firewall Management Center (FMC) User Interface (UI) and successfully deploying the policies these symptoms are observed:

1. The interface administrative status mismatches between the FMC UI and the secondary/standby FTD CLI. On FMC UI interfaces are administratively disabled, while on FTD CLI they are enabled.

2. The administrative status of the interfaces is different between the HA units: The interfaces are administratively shut down on the primary unit while on the secondary/standby unit the interfaces are administratively up:

> show failover
 
Failover On
Failover unit Secondary
Failover LAN Interface: FailoverLink GigabitEthernet0/7 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 8 of 311 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.20(2)121, Mate 9.20(2)121
Serial Number: Ours ABC123, Mate DEF123
Last Failover at: 05:30:31 UTC Apr 7 2026
        This host: Secondary - Standby Ready
                Active time: 83 (sec)
                slot 0: ASAv hw/sw rev (/9.20(2)121) status (Up Sys)
                  Interface outside (192.168.1.1): Normal (Waiting) <-- No shutdown
                  Interface inside (192.168.2.1): Normal (Waiting)  <-- No shutdown
                  Interface DMZ (192.168.3.1): Normal (Waiting)     <-- No shutdown          
                slot 1: snort rev (1.0)  status (up)
                slot 2: diskstatus rev (1.0)  status (up)
        Other host: Primary - Active
                Active time: 188332 (sec)
                  Interface outside (192.168.1.1): Link Down (Shutdown) <-- Shutdown
                  Interface inside (192.168.2.1): Link Down (Shutdown)  <-- Shutdown
                  Interface DMZ (192.168.3.1): Link Down (Shutdown)     <-- Shutdown             
                slot 1: snort rev (1.0)  status (up)
                slot 2: diskstatus rev (1.0)  status (up)
...

The discrepancy prevented successful migration of the firewalls.

Environment

  • FMC-managed FTDv version 7.4.2.4 in HA. Other software versions can also be affected.

  • Primary unit is active, secondary is standby. The symptoms are relevant to active/standby state, irrespective of the primary/secondary role.

  • Data interfaces are shutdown on FMC and policies are deployed.

Resolution

The symptoms are reproduced and documented in the Cisco bug ID CSCwt99185 with documented workaround steps.

Cause

The interface status discrepancy is due to the Cisco bug ID CSCwt99185.

Related Content

Revision History

Revision Publish Date Comments
1.0
06-May-2026
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Ilkin Gasimov
    Cisco TAC Engineer
  • Mikis Zafeiroudis
    Cisco TAC Engineer

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products