Re: FTD IPSec VTI on HA Pair

noxiosus · ‎05-04-2021

Hi all,

We plan to implement IPSec VTI on FTD2120 on HA Pair.

As I can see, IPSec VTI is not supported on cluster:

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/216276-configure-route-based-site-to-site-vpn-t.html

Does anybody know if there are some similar restrictions in HA Pair installation?

Rob Ingram · ‎05-04-2021

@noxiosus

The documentation states "Support for both Firepower Management Center and FTD HA environments", but it's not clear if they are referring to Policy Based and Routed Based VPN, but I assume both as the section of the document describes both.

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/firepower_threat_defense_site_to_site_vpns.html#id_42759

The documentation would normally state whether there is a limitation, so I'd see no reason why you could not setup a static VTI to an Active/Standby HA pair.

HTH

ravi · ‎12-18-2022

Hi Noxiosus,

Are you able to implement VTI on FTD HA pair, I am also looking for the same.

Rajan

Marvin Rhoads · ‎12-19-2022

Yes it is supported on an HA pair.

A cluster is not an HA pair but rather a set of FTD devices (2-16) operating as one logical device (all active). Contrast that with an HA pair where only one device is active while the other is standby at all times.

ravi · ‎12-19-2022

Thanks Marvin.