Firepower 1010 VPN Routing Issue

Kasim · ‎07-19-2024

Hi all,

Im going to preface this with this disclaimer - im not an expert on Cisco networking (still learning), so bear with me if I dont provide the right details.

We have a hub and spoke topology in our organization. Our field sites uses Cisco Firepower 1010 devices running FTD. Versions ranging from 7.2.7 to 7.4.1.1. All managed by FMC - Version 7.4.1.1 (build 12).

We have 2 site to site VPN firewalls set up - both are configured for Answer Only.

RIP is being used to advertise routes.

The issue is we notice that at times (seems random), sites will lose routing, pinging management IP times out...and when we investigate the crypto on the FTD, we notice ikev2 sa's on both S2S vpn firewalls instead of just one of them with some routes on one and the rest on the other. clearing crypto isakmp will re-establish vpn connection right away (to one S2S vpn firewall) and routing is back to normal.

What could be causing the random tunnel connection to the other vpn firewall and splitting the routes?

Any insight would be appreciated.

Thanks in advance

MHM Cisco World · ‎07-23-2024

can you draw topology thanks

MHM

Kasim · ‎07-24-2024

There are 2 dc's that basically mirror each other in configuration. field firewalls will connect typically to one of the s2s vpn firewalls in either dc. but im seeing (what seems random) is that while they are connected to one of the dc's, some routing splits and i find some routes are on one vpn fw and the rest are on the other.

hopefully im making sense.

THanks