cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2288
Views
0
Helpful
3
Replies

FTD L2L VPN failover to backup carrier

Curious if anyone has come across this scenario yet. We have a project to replace some legacy ASAs with some new 2110 FTD appliances and one of the road blocks we are running into is duplicating the functionality on FTD that allows for automated VPN failover to a secondary ISP circuit or backup circuit. The internet traffic failover is not a problem, however the way that FTD VPNs are configured is that they are bound to a specific interface upon creation, this inherently prevents it from being established on the backup circuit should the primary go down and requires manual intervention to change the tunnel configuration to use the backup interface and re-deploy the policy.

Legacy ASA code made this very easy by simply binding the cryptomap to both the primary and backup interfaces, and on the remote side to include the primary and secondary IPs in the crypto map set peer statement. I'm not seeing where this can be duplicated on FTD at this time, and FlexConfig profiles do not look promising either as VPN statements are said to be excluded since VPNs are configurable through the FMC.

Hoping I'm not the first to have this need and am interested in what others may have done to get around this limitation.

Regards,

Jason

3 Replies 3

gaskincharles
Level 1
Level 1

Did you ever get an answer to your problem?

will.schroeder
Level 1
Level 1

I know this is old but I ran across it while trying to figure something else out. My post here might be helpful: https://community.cisco.com/t5/network-security/vpn-failover-on-ftds/td-p/3880838

 

As to the reference to backup peers on old ASA code, I think that only applied to IKEv1. Most ASA code, maybe newer code changed this, did not support backup peers on IKEv2. According to FTD documentation you can do a backup peer on IKEv1, but not IKEv2. The scenario in my post above, I have two separate VPNs setup.

Wayon6098
Level 1
Level 1

I hope you eventually figured this out. If not try this workaround: setup all your VPN profiles to your primary ISP interface. Create a dummy VPN profile mapped to your backup interface. This way both interfaces have a crypto map statement in the configuration. Failover to your backup ISP and verify that your VPN connections are re-established. This seems like a bug so I don't know how long it will be supported but it is currently working on release 6.6.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: