topic Re: Failover Site-to-Site IPSec Tunnels Between Two FTDs Managed by FM in Network Security

Failover Site-to-Site IPSec Tunnels Between Two FTDs Managed by FMC

edh@oneonta.com — Thu, 26 Jan 2023 18:40:24 GMT

I have two FTDs, one with one ISP and one with two ISPs, and need to have failover tunnels between them. The internet connection fails over with SLA monitor and different metrics. The site-to-site tunnels are set up as route based with two static VTIs on the single ISP connection FTD and one VTI per ISP connection on the one with two ISPs. The tunnel works fine when on primary connection for FTD with two ISPs. The tunnel to the secondary ISP interface never forms, not before or after failover. I have set a timeout on the floating connections in Platform Setting policy to 30 seconds and this didn't change anything. Has anyone made this work? I have attached a diagram for clarity.

Re: Failover Site-to-Site IPSec Tunnels Between Two FTDs Managed by FM

MHM Cisco World — Thu, 26 Jan 2023 18:45:05 GMT

if you can config IPsec keepalive,
we must inform other FW that this tunnel is down and we will establish other tunnel.
that it

Re: Failover Site-to-Site IPSec Tunnels Between Two FTDs Managed by FM

edh@oneonta.com — Thu, 26 Jan 2023 19:00:16 GMT

Turns out for this configuration to work I needed to set the secondary VTIs as "backup VTIs" in the VPN configuration. I had them set up as two separate tunnels, which for some reason didn't work. Thanks for the reply though!