cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

475
Views
0
Helpful
2
Replies
Highlighted

FTD L2L VPN failover to backup carrier

Curious if anyone has come across this scenario yet. We have a project to replace some legacy ASAs with some new 2110 FTD appliances and one of the road blocks we are running into is duplicating the functionality on FTD that allows for automated VPN failover to a secondary ISP circuit or backup circuit. The internet traffic failover is not a problem, however the way that FTD VPNs are configured is that they are bound to a specific interface upon creation, this inherently prevents it from being established on the backup circuit should the primary go down and requires manual intervention to change the tunnel configuration to use the backup interface and re-deploy the policy.

Legacy ASA code made this very easy by simply binding the cryptomap to both the primary and backup interfaces, and on the remote side to include the primary and secondary IPs in the crypto map set peer statement. I'm not seeing where this can be duplicated on FTD at this time, and FlexConfig profiles do not look promising either as VPN statements are said to be excluded since VPNs are configurable through the FMC.

Hoping I'm not the first to have this need and am interested in what others may have done to get around this limitation.

Regards,

Jason

Everyone's tags (5)
2 REPLIES 2
Highlighted
Beginner

Re: FTD L2L VPN failover to backup carrier

Did you ever get an answer to your problem?

Highlighted
Beginner

Re: FTD L2L VPN failover to backup carrier

I know this is old but I ran across it while trying to figure something else out. My post here might be helpful: https://community.cisco.com/t5/network-security/vpn-failover-on-ftds/td-p/3880838

 

As to the reference to backup peers on old ASA code, I think that only applied to IKEv1. Most ASA code, maybe newer code changed this, did not support backup peers on IKEv2. According to FTD documentation you can do a backup peer on IKEv1, but not IKEv2. The scenario in my post above, I have two separate VPNs setup.