Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1492
Views
5
Helpful
3
Replies

Cisco FTD Redundant IPSec Tunnels Mechanism

peymansarayeli
Level 1
Level 1

‎07-14-2021 05:57 AM - edited ‎07-15-2021 12:47 AM

Hey guys, I hope you are doing well.

 

I have problem understanding how redundancy works in an H.A. (Active/Standby) FTD when it comes to IPSec tunnels.

 

To clarify more:

- Our office is connected to 2 ISPs. We created two IPSec tunnels, each one of them is terminated on one ISP.

- On the other end of the connection there are also two separate IP addresses.

- We are on version 6.6.1 and we are using "Policy-Based" VPN.

- I also created two static default route towards each ISP gateway and prioritize one of them with metric so all of the traffic is going through ISP-1 unless it is not reachable, then the second static default route kicks in.

 

When I run the "Show Route" command on the FTD, it shows me that the static default route is pointing to the ISP-1 but the VPN interface is pointing to the other ISP.

 

It is not important which tunnel is responsible for sending and receiving traffic in this case, I just want to know how the redundant tunnels are working in the background?

 

Best Regards,

Peyman Sarayeli

0 Helpful
3 Replies 3

Marius Gunnerud
VIP
VIP

‎07-14-2021 03:00 PM

The routing for the remote site IPs should also be pointing out the ISP-2 interface, and I am assuming that an IP SLA tracker is also configured for the routes.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

peymansarayeli
Level 1
Level 1
In response to Marius Gunnerud

‎07-15-2021 12:50 AM

@Marius Gunnerud 

Thanks for your reply.

 

I am not sure if I understood your answer. Do you mean that we have to implement static routes pointing to remote site networks as well? and include IP-SLA in them?

 

As of now, we just have 2 static default routes and no IP-SLA is configured.

 

Best Regards,

0 Helpful

Marius Gunnerud
VIP
VIP
In response to peymansarayeli

‎07-15-2021 11:53 AM

Well, the static routes for the remote sites would need to be in place if traffic is not following the default route.

If you have two default routes configured, only the first one configured will be selected for the routing table.  The second route will not be present in the routing table.  There are a couple ways around this, but as long as you are not going to be allowing asynchronous routing, you will need to implement IP SLA to track the primary default route, so that when the primary is no longer active the secondary will be insterted into the routing table.

--
Please remember to select a correct answer and rate helpful posts
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card