cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4802
Views
5
Helpful
15
Replies

VPN Failover on FTDs

donald.heslop1
Beginner
Beginner

Has anyone gotten VPN failover to work on Cisco FTDs (not ASAs with backup peers)? Here's the scenario, we are trying to setup two FTD 2100s in a HA pair for failover of not only the Internet but for S2S and RA-VPNs as well. So far we can get the Internet failover to work but when it comes to VPNs the FTD won't switch over to the backup VPN setup. I noticed that even though the Internet did fall over to the backup circuit the VPN with still saying go out of the primary interface.

 

So I completely ripped out the VPN policy, deploy, recreate the VPN policy to use the backup interface, and redeployed to the FTD. Routing table now says route traffic destined for the remote lan using the VPN which is now tied to the backup interface. You would think traffic should work right?

 

Wrong. Traffic will not work (I configured NAT and the ACP to match the original VPN that was working on the primary interface). I do a packet tracer and it allows the traffic but when I ping from one machine to a machine in the remote office, no traffic.

 

Then I rebuilt everything back to the primary interface and no traffic on the VPN. So now even though I rebuilt everything I have no VPN whatsoever.

 

Has anyone got failover VPN to work on FTDs without manual intervention? I'm seconds away from telling my Director to stop selling these things and go to PA.

15 Replies 15

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

I have it working fine for remote access VPN at a couple of customers. BGP routing at one and static default with tracking for the backup at another. The SSL VPN certificate has a SAN for the FQDN of the addresses assigned to both primary and backup path outside addresses.

Neither customer has any site-site terminating on the FTD devices so I haven't had a chance to set those up yet.

Yeah from everything I read and thru my on labbing you can't do failover Site-to-Site VPNs on FTDs. Just wondering if anyone has ever done it.

Marvin,

Did you have to create two Remote Access policies in the FTD?