Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1150
Views
10
Helpful
2
Replies

Failover Site-to-Site IPSec Tunnels Between Two FTDs Managed by FMC

edh@oneonta.com
Level 1
Level 1

‎01-26-2023 10:40 AM

I have two FTDs, one with one ISP and one with two ISPs, and need to have failover tunnels between them. The internet connection fails over with SLA monitor and different metrics. The site-to-site tunnels are set up as route based with two static VTIs on the single ISP connection FTD and one VTI per ISP connection on the one with two ISPs. The tunnel works fine when on primary connection for FTD with two ISPs. The tunnel to the secondary ISP interface never forms, not before or after failover. I have set a timeout on the floating connections in Platform Setting policy to 30 seconds and this didn't change anything. Has anyone made this work? I have attached a diagram for clarity.

Preview file
34 KB
2 Replies 2

MHM Cisco World
VIP
VIP

‎01-26-2023 10:45 AM

if you can config IPsec keepalive, 
we must inform other FW that this tunnel is down and we will establish other tunnel. 
that it

0 Helpful

edh@oneonta.com
Level 1
Level 1
In response to MHM Cisco World

‎01-26-2023 11:00 AM

Turns out for this configuration to work I needed to set the secondary VTIs as "backup VTIs" in the VPN configuration. I had them set up as two separate tunnels, which for some reason didn't work. Thanks for the reply though!

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card