07-27-2022 07:51 AM
Hi,
I'm not able to manage FTD from its remote FMC when it fails over from ISP1 to ISP2.
- 1 x FTD 1010 (7.0.1.1)
- ISP1 connected to E1/1, ISP2 connected to E1/2
- FTD Management Interface connected to E1/3 (routed port)
- Route tracking enabled for ISP1
Long story short, when FTD fails over to ISP2, I can ping FMC on TCP/8305 from FTD Management Interface successfully but the "sf tunnel" won't come up. Performing a packet trace on the FTD shows that the Management Interface tries to go out through ISP1 even though the routing table tells it to go out ISP2 interface (it complains about a sub-optimal route).
Has anyone been able to get this to work?
Thank you!
07-27-2022 09:26 AM
if you use NAT 
add route-lookup to NAT
07-27-2022 09:43 AM
I have NAT configured but I can only use route-lookup if the original and translated source address is the same but it's not in my case (I have two rules - translate the Management Interface to (1) "isp1-outside" and (2) "isp2-outside" interface address). I do it this way to avoid the Management Interface from going over the VPN tunnel.
07-27-2022 09:53 AM
the NAT is routed the traffic through the ISP1 even if the RIB is route via ISP2
for the NAT can you share the NAT you use?
07-27-2022 09:59 AM - edited 07-27-2022 10:00 AM
Sure thing!
The NAT config below doesn't have the VPN rules added but for what I'm trying to do this is what I have configured:
08-11-2022 10:07 AM
Hi, it's still not working... any idea?
09-13-2022 07:11 AM - edited 09-13-2022 07:11 AM
I figured it out -
I created two EEM FlexConfig objects:
My_EEM-FTD-MgmtIf_1
event manager applet NAT-FTD-MgmtIf1
event syslog id 622001
action 1 cli command "no nat (mgmt-ftd,outside) source static Host-FTDMgmtIf interface destination static HostFMC_outside HostFMC_outside service tcp_8305 tcp_8305"
action 2 cli command "clear conn address X.X.X.X"
output none
My_EEM-FTD-MgmtIf_2
event manager applet NAT-FTD-MgmtIf2
event syslog id 622001 occurs 2
action 1 cli command "nat (mgmt-ftd,outside) 1 source static Host-FTDMgmtIf interface destination static HostFMC_outside HostFMC_outside service tcp_8305 tcp_8305"
action 2 cli command "clear conn address X.X.X.X"
output none
My_EEM-FTD-MgmtIf_1 removes NAT statement to outside when outside is down (first occurrence of Syslog 622001). It also clears Mgmt interface connections to FMC (IP address X.X.X.X)
My_EEM-FTD-MgmtIf_2 adds NAT statement to outside in position 1 when outside2 is down ("every other" occurrence of Syslog 622001). It also clears Mgmt interface connections to FMC (IP address X.X.X.X)
Apply both FlexConfig objects to FTD using Append. Whenever the outside interface goes down/route to outside is removed from the routing table using route tracking, the static NAT rule for it is removed from the NAT table (this avoids NAT Divert) and when the outside interfaces is up/route tracking is up, the static NAT rule for it is re-added to the NAT table in position 1. Clearing the connections to the FMC is very important because if you don't they hang around and you'll end up in a situation where network traffic goes via ISP1 but FTD management traffic goes to FMC via ISP2.
I hope this helps someone.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide