Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
280
Views
0
Helpful
6
Replies

FTD 2120 HA ECMP with RA SSL

paul-d
Level 1
Level 1

‎06-22-2024 05:35 AM

Hi,

On an FTD 2120 HA, would i be right in thinking we cannot use SSL RA (secure client) when our FTD is configured with dual WAN (two separate physical interfaces) using ECMP with IP SLA?

Or would i have to enable SSL RA on both WAN/ Out interfaces as FMC complains when i only have the one WAN/ out configured for SSL RA.

0 Helpful
6 Replies 6

MHM Cisco World
VIP
VIP

‎06-22-2024 05:42 AM

did you config ECMP Zone? 

MHM

0 Helpful

paul-d
Level 1
Level 1
In response to MHM Cisco World

‎06-22-2024 05:18 PM

yes, i configured the ECMP zone, however after deploying FMC complained and i had to disable the SSL access.

0 Helpful

MHM Cisco World
VIP
VIP
In response to paul-d

‎06-23-2024 09:07 AM

sorry friend 
any interface use for 
RA VPN 
S2S VPN 
can not use for ECMP Zone in FTD from 7.0 to 7.4 
maybe new update come without this limitation 

MHM

0 Helpful

paul-d
Level 1
Level 1
In response to MHM Cisco World

‎06-23-2024 12:54 PM

Hi,

I'm sure you can use S2S vpn as I have it running currently on a single interface within an Ecmp zone. 

What if is gave the Ftd another 2 interfaces, both with a unique ip in their respective wan networks would that work?

so the ftd would have a total of 4 wan links, two in an Ecmp zone and the other two used for RA, where two interfaces are part of the same network just with different ips

Or is that not really recommended? 

0 Helpful

MHM Cisco World
VIP
VIP
In response to paul-d

‎06-26-2024 06:09 PM

there are two ECMP in Cisco 
1- ECMP by config two route to different next-hop and use same metric the FTD load balance the traffic by use tuple-5/3
2- ECMP by config two interface in one ECMP zone
https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221692-configure-ecmp-with-ip-sla-on-ftd-manage.html



it seem the same but as I search for two days the different is Conn, in first one there is two conn for each traffic pass each interface, in second there is ONE conn 

FTD ECMP.png

the first case come with many restriction from cisco, it different from one Ver. to other that why I specify multi ver. in my previous comment.

"""so the ftd would have a total of 4 wan links, two in an Ecmp zone and the other two used for RA, where two interfaces are part of the same network just with different ips"""

how you config default route if you have four, you need PBR to direct traffic to ECMP zone, and that also need to check and make new other WAN interface have default route, 
then it come about RA VPN you need to specify two WAN IP in Anyconnect profile one as primary and other as backup. 

if you have other Q please ask hope I can help here in your task 

thanks 
MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card