Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
595
Views
1
Helpful
6
Replies

Cisco FPR Dual WAN S2S

abreuil
Level 1
Level 1

‎03-22-2023 07:03 AM

Hello,

I have an issue when I added a second WAN in my Firepower.

I have a WAN1 with multiple S2S connections, and I added a second WAN. When I change the default route to use the WAN2 by default, I have no longer S2S connection.

Even with adding a route (before default route) for each S2S connection, no tunnel is mounting.

Is there a way to use a WAN only for S2S, and other WAN for every other connections ?

Labels:
0 Helpful
6 Replies 6

abreuil
Level 1
Level 1

‎03-22-2023 07:19 AM

I saw this link when I did my research, but it seems like this solution is not what I need.

I need that every S2S to use WAN1 only when every other connections are using the other WAN, no failover.

Here are my routes :

for S2S_LAN_1, use outside1 with GW1, metric 50

default route 0.0.0.0/0, use outside2, with GW2, metric100

default route 0.0.0.0/0, use outside1, with GW1, metric 101

Everyone in the LAN has internet access via WAN2, as wanted, but the S2S on WAN1 is not mounting, from any site

0 Helpful

MHM Cisco World
VIP
VIP
In response to abreuil

‎03-22-2023 07:32 AM

but that not work s2s is policy based and follow routing traffic, i.e. the packet must forward through the GW1 then s2s will encrypt the traffic, 
here you config gw1 with 101 which make gw2 forward the traffic. 
so in your config you must select gw2 and primary and gw1 as backup. 

or try config static route for remote LAN toward Gw1 and keep default route as it, 

0 Helpful

abreuil
Level 1
Level 1
In response to abreuil

‎03-23-2023 07:57 AM

I managed to do this by adding the public IP in my first route :

for S2S_LAN_1 and/or S2S_GW, use outside1 with GW1, metric 50

 

Thank you all for your time

MHM Cisco World
VIP
VIP
In response to abreuil

‎03-23-2023 08:16 AM

You are so so so welcome friend 

Have a nice day 

0 Helpful

Georg Pauwen
VIP
VIP

‎03-22-2023 10:55 AM

Hello,

not entirely sure if this is an option for your specific topology, but you could try ECMP zones as described in the document linked below...

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/routing-ecmp.html

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card