Solved: Re: FMC Site to Site VPN Question

dcanady55 · ‎12-05-2022

Hello,

I've been reading through Cisco's site to site documentation and wanted to confirm there's no possible way for a site to site vpn to have both tunnels active? Seems you can only have active/passive.

FMC 7.0 using FTD 2100 series.

Thanks in advance

Marvin Rhoads · ‎12-06-2022

It isn't clear if you are asking about S2S VPN with an HA pair of FTD appliances or a single FTD appliance with a primary and backup S2S VPN peer.

Either way, the answer is "no".

View solution in original post

MHM Cisco World · ‎12-05-2022

you mean initiate/responder ??

Marvin Rhoads · ‎12-06-2022

It isn't clear if you are asking about S2S VPN with an HA pair of FTD appliances or a single FTD appliance with a primary and backup S2S VPN peer.

Either way, the answer is "no".

tvotna · ‎12-06-2022

@Marvin Rhoads, are traffic zones still not supported on SVTI tunnels in case of FTD? On ASA it is certainly possible to configure them and achieve ECMP over tunnel interfaces or use them in a primary/backup manner.

What is not clear though, is how existing connections are reclassified if one of tunnel interfaces goes down in such scenario.

Rob Ingram · ‎12-06-2022

@tvotna seems like they are now supported from 7.1 and higher. - https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/730/management-center-device-config-73/routing-ecmp.html

Marvin Rhoads · ‎12-06-2022

Yes - I believe the recently-introduced route-based (VTI) S2S VPNs along with ECMP are supported. Policy-based (crypto map) does not support it.

I have not tried it myself yet though.

dcanady55 · ‎12-06-2022

Hi Marvin,

Currently, we only have the one FTD in place but soon will have a second FTD setup in HA. I will read up on VTIs and see if those will work in our scenario. Thanks