Hey Rob the FMC pushed policies to the mgmt interface over the VPN so I believe communication to and from the FMC and FTD is over the existing S2S tunnels only. Everything is still working thankfully but I can't deploy any changes. I wish I could just reregister the FTD  over the VPN but I don't think it will complete. 

@keithcclark71 I can't say I've ever do it that way before, I prefer to manage over the external interface, so it does not rely on the VPN that FMC needs to configured.....but if the VPN tunnel is up and you can communicate with the FMC (ping), then I see no reason why you cannot attempt to re-establish the sftunnel communication, re add the manager to establish connectivity.

Or depending on what FTD version you are running you could change management to the data interface, and re-establish connectivity directly over the internet/WAN (the sftunnel is encrypted), that way it doesn't rely on the VPN being up.

Im running 7.2 .  How would I go about changing to data interface for mgmt while ssh into the FTD?

Would I still be able to ssh into the FTD once I changed to the data int for mgmt? I would need to do that so I could register it to the FMC.

Oh wait the VPN would still remain up if I changed mgmt to data external interface. Yes I'd like to try this off hours if course. I would imagine is use configure network command and change to external data interface for mgmt somehow? Would deployment changes then go over the data interface or am I mixing things up here on mgmt interface types

@keithcclark71 the VPN is already up now, so i was suggesting re-establishing connectivity over the VPN.

The other option, if you changed management to the data interface you aren't relying on the VPN being up in future for management purposes. However the management guide below, states that SSH is not enabled on a data interface as default, so if you haven't already permitted it you won't be able to manage the device until you get it connected to the FMC again.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/management-center-mgmt-nw/fmc-ftd-mgmt-nw.html#Cisco_Concept.dita_a3adf1ee-a270-4ff4-8b7b-3f9a3f4f1636

Try re-establishing connectivity over the VPN tunnel, by re-registering the FTD.

If i try to reregister the FTD to the FMC over the existing tunnel i am certain I will lose connectivity and I will have to bring the FTD to where the FMC is and register from the same subnet then redeploy and take back to location. I believe the VPN config will be wiped out before being reapplied thus losing connection. I am going to try this when I establish a maintenace window regardless as to avoid the chicken little heads that will be running around calling me non stop if outage occurs. That being said I agree with you on keeping management separate from the remote VPN subnet I am just trying to figure out how I would do this so that the FTD will register over the public interent to the FMC through the Public side where the FMC is located. It seems like I would have to also enable a port forward for where the FMC is for the sftunnel communications. I was also wondering if you are managing using the data side does firepower communications go through outside then through management to inside subnet to analyze traffic flows through the IPS\SNORT engine etc

@keithcclark71 you'd have to setup NAT (tcp/8305) on the firewall in front of the FMC for the sftunnel communication. If you use the data interface for FMC communication, then the management interface is not used.