07-19-2024 06:25 AM
Hi all,
Im going to preface this with this disclaimer - im not an expert on Cisco networking (still learning), so bear with me if I dont provide the right details.
We have a hub and spoke topology in our organization. Our field sites uses Cisco Firepower 1010 devices running FTD. Versions ranging from 7.2.7 to 7.4.1.1. All managed by FMC - Version 7.4.1.1 (build 12).
We have 2 site to site VPN firewalls set up - both are configured for Answer Only.
RIP is being used to advertise routes.
The issue is we notice that at times (seems random), sites will lose routing, pinging management IP times out...and when we investigate the crypto on the FTD, we notice ikev2 sa's on both S2S vpn firewalls instead of just one of them with some routes on one and the rest on the other. clearing crypto isakmp will re-establish vpn connection right away (to one S2S vpn firewall) and routing is back to normal.
What could be causing the random tunnel connection to the other vpn firewall and splitting the routes?
Any insight would be appreciated.
Thanks in advance
07-19-2024 07:57 AM
@Kasim wrote:Hi all,
Im going to preface this with this disclaimer - im not an expert on Cisco networking (still learning), so bear with me if I dont provide the right details.
We have a hub and spoke topology in our organization. Our field sites uses Cisco Firepower 1010 devices running FTD. Versions ranging from 7.2.7 to 7.4.1.1. All managed by FMC - Version 7.4.1.1 (build 12).
We have 2 site to site VPN firewalls set up - both are configured for Answer Only.
RIP is being used to advertise routes.
The issue is we notice that at times (seems random), sites will lose routing, pinging management IP times out...and when we investigate the crypto on the FTD, we notice ikev2 sa's on both S2S vpn firewalls instead of just one of them with some routes on one and the rest on the other. clearing crypto isakmp will re-establish vpn connection right away (to one S2S vpn firewall) and routing is back to normal.
What could be causing the random tunnel connection to the other vpn firewall and splitting the routes?
Any insight would be appreciated.
Thanks in advance
Ensure that both site-to-site VPN firewalls have consistent configurations and that the priority for route advertisements via RIP is clearly defined.
The IKEv2 SA establishment on both VPN firewalls suggests a possible failover or misconfiguration in the VPN setup. Verify that the VPN failover settings are correctly configured and that only one VPN firewall should actively handle the connection at any given time.
Additionally, check the RIP configurations to ensure that routes are being advertised and accepted consistently. Implementing proper monitoring and logging on both the VPN firewalls and the FMC can help identify the exact triggers for the issue.
07-23-2024 02:28 PM
can you draw topology thanks
MHM
07-24-2024 07:21 AM
There are 2 dc's that basically mirror each other in configuration. field firewalls will connect typically to one of the s2s vpn firewalls in either dc. but im seeing (what seems random) is that while they are connected to one of the dc's, some routing splits and i find some routes are on one vpn fw and the rest are on the other.
hopefully im making sense.
THanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide