06-22-2024 05:35 AM
Hi,
On an FTD 2120 HA, would i be right in thinking we cannot use SSL RA (secure client) when our FTD is configured with dual WAN (two separate physical interfaces) using ECMP with IP SLA?
Or would i have to enable SSL RA on both WAN/ Out interfaces as FMC complains when i only have the one WAN/ out configured for SSL RA.
06-22-2024 05:42 AM
did you config ECMP Zone?
MHM
06-22-2024 05:18 PM
yes, i configured the ECMP zone, however after deploying FMC complained and i had to disable the SSL access.
06-22-2024 10:16 PM
06-23-2024 09:07 AM
sorry friend
any interface use for
RA VPN
S2S VPN
can not use for ECMP Zone in FTD from 7.0 to 7.4
maybe new update come without this limitation
MHM
06-23-2024 12:54 PM
Hi,
I'm sure you can use S2S vpn as I have it running currently on a single interface within an Ecmp zone.
What if is gave the Ftd another 2 interfaces, both with a unique ip in their respective wan networks would that work?
so the ftd would have a total of 4 wan links, two in an Ecmp zone and the other two used for RA, where two interfaces are part of the same network just with different ips
Or is that not really recommended?
06-26-2024 06:09 PM
there are two ECMP in Cisco
1- ECMP by config two route to different next-hop and use same metric the FTD load balance the traffic by use tuple-5/3
2- ECMP by config two interface in one ECMP zone
https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221692-configure-ecmp-with-ip-sla-on-ftd-manage.html
it seem the same but as I search for two days the different is Conn, in first one there is two conn for each traffic pass each interface, in second there is ONE conn
the first case come with many restriction from cisco, it different from one Ver. to other that why I specify multi ver. in my previous comment.
"""so the ftd would have a total of 4 wan links, two in an Ecmp zone and the other two used for RA, where two interfaces are part of the same network just with different ips"""
how you config default route if you have four, you need PBR to direct traffic to ECMP zone, and that also need to check and make new other WAN interface have default route,
then it come about RA VPN you need to specify two WAN IP in Anyconnect profile one as primary and other as backup.
if you have other Q please ask hope I can help here in your task
thanks
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide