Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
516
Views
1
Helpful
4
Replies

Cisco FirePower 1120 RAVPN failover between two ISP's

Go to solution
ryan-ash
Level 1
Level 1

‎11-22-2024 09:42 AM

I am trying to understand if this is even possible.  I have two 1120's in an HA pair.  I have two ISP's connected to each one and failover using an SLA works for the internet in the building.  Most of the company is remote and the company is 24/7.  Is it possible to setup failover for the RAVPN? 

I do NOT have the Firepower Management Center.  It is only managed via the built in FDM.  I asked Cisco and they said no it is not possible via the FDM but they said that it is possible via the FMC. Does anyone know if that is true?  I do not want to buy the FMC license and waste 32 GB of RAM for it to not work.  End goal is to have the RAVPN failover the same way the internet does.  If the internet is down it will failover from the port that ISP 1 is plugged into over to the port ISP 2 is connected to and then back when ISP one is up.  I just need the RAVPN to use the active connection and only one can be chosen when setting up the RAVPN.  Why is i can add a second connection to the site to site connection but not the RAVPN.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to ryan-ash

‎11-22-2024 10:04 AM

@ryan-ash you can configure this if using FMC (cloud, virtual or physical) to manage the FTD. You cannot use CDO, as CDO just manages FDM from the cloud.

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎11-22-2024 09:48 AM

@ryan-ash unfortunately as of 7.6 (current latest version), you cannot add a second connection profile using FDM.

Guidelines and Limitations for Remote Access VPN

Please keep the following guidelines and limitations in mind when configuring RA VPN.

  • You cannot configure both the device manager access (HTTPS access in the management access list) and remote access SSL VPN on the same interface for the same TCP port. For example, if you configure remote access SSL VPN on the outside interface, you cannot also open the outside interface for HTTPS connections on port 443. If you configure both features on the same interface, ensure that you change the HTTPS port for at least one of these services to avoid a conflict.

  • The RA VPN outside interface is a global setting. You cannot configure separate connection profiles on different interfaces.

https://www.cisco.com/c/en/us/td/docs/security/firepower/760/fdm/fptd-fdm-config-guide-760/fptd-fdm-ravpn.html

Your cheapest options, are either use Cloud FDM (cdFMC) or virtual FMC.

 

0 Helpful

Go to solution
ryan-ash
Level 1
Level 1
In response to Rob Ingram

‎11-22-2024 10:02 AM

Thank you for that. To confirm, if I use the cloud hosted CDO or FMC, it is then possible for me to have the RAVPN automatically fail over?  What I ultimately am trying to do is have vpn.company.com as the address and that use what ever is the active ISP at the time. So if ISP 1 fails and ISP 2 takes over the RAVPN will still connect the same and work. 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to ryan-ash

‎11-22-2024 10:04 AM

@ryan-ash you can configure this if using FMC (cloud, virtual or physical) to manage the FTD. You cannot use CDO, as CDO just manages FDM from the cloud.

Go to solution
ryan-ash
Level 1
Level 1
In response to Rob Ingram

‎11-22-2024 10:14 AM

Got it. Thank you very much. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card