Re: VPN Redundancy on FTD?

Mzamzam · ‎12-17-2018

I need to check if I can create 2 VPNs on FTD to another site with 2 different WAN links to get the redundancy.

And how to do This in FMC, as when I tryied it, it worked on only first VPN?

and Also, if I have 2 firewalls in each site as HA? How it will work?

Mzamzam · ‎12-17-2018

The Diagram

Mohammed al Baqari · ‎12-17-2018

FTD like ASA, they work in Active/standby when you configure them as HA
pair. The VPN connection pops on the 1st peer and when it fails over it
will popup on the 2nd peer. It won't be active/active.

If you want active/active, you need to configure clustering.

Mzamzam · ‎12-17-2018

Hi Mohamed,
Thanks a lot for your reply,

This Incase of two firewalls in site,

What if I need to configure the two VPNs in the same FTD box in each site.

Means each site has one FTD with two WAN links.

Thanks and Best Regards,
Mohamed Zamzam

Mohammed al Baqari · ‎12-18-2018

Why not to configure redundant interfaces then two vpns assigned to
redundant interface

Mzamzam · ‎12-18-2018

This is a good Idea, I will try it,

But is the redundant interface will up when the WAN link down logically not physically.
Means if I can reach to the gateway router but not the WAN cloud.

Also, I think in the other side is the remote peer will recognize the down of the interface.

Sorry for the alot of explanation, but to find the best solution.
Thanks and Best Regards,
Mohamed Zamzam

Mohammed al Baqari · ‎12-18-2018

That can't be achieved if you use redundant or single interface. For this
other techniques are used such as dynamic routing protocols to detect
failures.