Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
407
Views
0
Helpful
2
Replies

FTD ECMP with VPN Tunnel Interfaces (VTIs)?

SIMMN
Spotlight
Spotlight

‎12-03-2024 11:55 AM - edited ‎12-03-2024 11:57 AM

I am trying to figure out a design for FTD (single unit or HA) that establishes multiple VPN tunnels to the same remote site and forwards traffic actively through all the active VPN tunnels to the same destination subnet (ECMP). Either Static or dynamic routing would be used. I have high-level diagrams attached below for reference. 

With Option#1, I would establish two P2P tunnels using the same public IP pair on FTD and remote device but with two unique VTIs on both ends. From my reading of doc, I do not see this is identified as not supported but somehow I feel this option#1 would actually not work... 

With Option#2, I would establsih full-mesh tunnels between FTD and two remote devices. There should be four tunnels for ECMP on FTD to forward traffic over all the tunnels. With this, I would also be able to aggregate the bandwidth of mutiple tunnels to have a higher VPN throughput.

Drawing1.jpg

Can you please help review and advice?

0 Helpful
2 Replies 2

andre.baumgarten
Level 1
Level 1

‎12-04-2024 07:06 AM

Hi SIMMN,

Option 1 will not work, as you cannot establish 2 VPN from an FTD to the same Peer IP, so you must go with Option 2. This i already implemented.

You can build two Tunnels from one FTD (Spoke) to two fare End FTDs (Hubs). Use for every Tunnel a VTI, so it is a route based tunnel. For load balancing you must have two static routes with same Metric over both Tunnels, and put both VTIs in ECMP Zone on Spoke. The tricky part are the Hubs as you will have packet drops when the packets are running back and fourth over both hubs. FTDs will block packets with SYN/ACK when the SYN did not travel trough the firewall.

So i think best you can do is SDWAN, so you route some Traffic over Tunnel to Hub 1 and some to Hub2, basted ob PBR possibilities. But you have to make it symmetric. For Example when you den all SMB Traffic to your 172.16.100.0/24 over HUB 1 and all HTTP/s Traffic over HUB2 you have to the PBR on the Spoke but also for the reverse Path on Hub 1 and Hub2.

Hope that helps a bit.

Regards Andre

 

0 Helpful

SIMMN
Spotlight
Spotlight
In response to andre.baumgarten

‎12-04-2024 08:18 AM

I think you are referening to the asymmetrical routing on the remote side with two firewalls, right? Adding a LB between the two firewalls and LAN should solve the issue I think... Also when you say you already implemented option2, how did you solve the the firewall dropping return traffic issue?

Regarding SD-WAN, that is an option but not really a viable option currently...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card