Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1992
Views
0
Helpful
3
Replies

ftd full mesh vpn with backup lines

Go to solution
Spyros Kasapis
Level 1
Level 1

‎11-25-2020 02:12 AM

Hello

 

is it possible to create full mesh vpn in ftd with backup lines ?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎11-25-2020 06:07 AM - edited ‎11-25-2020 06:18 AM

@Spyros Kasapis 

I assume you are referring to having an FTD at the central location, with 2 internet connections (Primary/Secondary)?

 

I've not see any documentation for a full mesh with backup interfaces scenario. I've tested on FTD 6.5, the problem is when defining a VPN topology you can only specify 1 interface, not both. In this scenario, cisco would usually recommend a router at the hub.

 

You cannot create 1 Mesh Topology, but you can get creative and define multiple VPN topologies to achieve the same thing.

 

1 x Hub/Spoke topology - HQ-FTD (Primary ISP interface) > Extranet (spoke ip)

1 x Hub/Spoke topology - HQ-FTD (Secondary ISP interface) > Extranet (spoke ip)

1 x Hub/Spoke topology - Spoke (the FMC managed object) > Extranet Hub (define multiple peer IP address)

1 x Mesh topology for all spokes

 

Use IP SLA on the hub to failover to the secondary ISP if the primary fails. Use DPD on the spokes to detect the Primary ISP failure.

 

HTH

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎11-25-2020 06:07 AM - edited ‎11-25-2020 06:18 AM

@Spyros Kasapis 

I assume you are referring to having an FTD at the central location, with 2 internet connections (Primary/Secondary)?

 

I've not see any documentation for a full mesh with backup interfaces scenario. I've tested on FTD 6.5, the problem is when defining a VPN topology you can only specify 1 interface, not both. In this scenario, cisco would usually recommend a router at the hub.

 

You cannot create 1 Mesh Topology, but you can get creative and define multiple VPN topologies to achieve the same thing.

 

1 x Hub/Spoke topology - HQ-FTD (Primary ISP interface) > Extranet (spoke ip)

1 x Hub/Spoke topology - HQ-FTD (Secondary ISP interface) > Extranet (spoke ip)

1 x Hub/Spoke topology - Spoke (the FMC managed object) > Extranet Hub (define multiple peer IP address)

1 x Mesh topology for all spokes

 

Use IP SLA on the hub to failover to the secondary ISP if the primary fails. Use DPD on the spokes to detect the Primary ISP failure.

 

HTH

0 Helpful

Go to solution
Spyros Kasapis
Level 1
Level 1
In response to Rob Ingram

‎11-25-2020 06:20 AM

Thank you all for your quick response ,

Belaji i red this link .

Rob  i  am testing these scenarios , 

we have a full mesh vpn topology with 10 ftd's all in HA , in our central location the internet connection is stable the problem is in the remote sites if the primary internet connection fails the backup is a vdsl line . 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card