Re: PSA: AWS VPN connection with Firewall Device Manager is not possi

EvanC75 · ‎11-20-2025

Tested with FTD 7.7.10-5. Firepower 1010 web managed by Firewall Device Manager. VTI route based VPN not possible to setup since BGP cannot be configured. For Policy based VPN setup, Parameters, PSKs, IPs, IKE policy, IPsec proposal, NAT, and ACL were quadruple checked, connection is never established. AWS and FDM do not detail why the connection failed so not possible to troubleshoot. In case anyone mentions FMC, I cannot get it, nor do I have the hardware for it. Probably won't work either anyway.

Regards.

Marvin Rhoads · ‎11-20-2025

BGP can certainly work with Firepower 1010 managed with FDM. It's been several years but I recall setting it up on a 2100 series in the 6.7-7.0 days.

https://www.cisco.com/c/en/us/td/docs/security/firepower/770/fdm/fptd-fdm-config-guide-770/fptd-fdm-bgp.html

EvanC75 · ‎11-20-2025

Thanks for the reply. Was this something that changed in later versions perhaps? I found that BGP cannot be configured in FDM the way AWS requires now. AWS requires link local IPs assigned to VTI but FDM cannot assign or configure link-local addresses on a VTI nor can it set BGP update-source to the VTI. I also found FDM would reject the 169.x gateway every time I tried to setup a static route to AWS 169.x address from the VTI 169.x address. I tried again tonight with just static route without BGP and that won't work either. Both FDM and AWS show the tunnel is up but traffic will not go through. I have repeatedly checked ACL, NAT, Static Route, IKEv2, IPSec proposal, PSK, and VTI on FDM and the security groups and route table on AWS. It just won't work...

Regards.

PSA: AWS VPN connection with Firewall Device Manager is not possible