Solved: WAN redundancy S2S tunnels FMC FTD

keithcclark71 · ‎10-06-2022

I am migrating from ASA to FTD where the ASA has Primary WAN (Outside) interface and Backup WAN (Backup interface) The ASA has S2S tunnels and also backup interface ACE's Mirrored from the outside primary interface. This is in place on the ASA so that if primary interface goes down the backup interface picks up on behalf of. I don't know how to configure on FMC so that this is in place and also do not understand how if backup WAN became active that the S2S tunnels would peer with the new public IP once failed over ton the backup WAN interface???

Rob Ingram · ‎10-06-2022

@keithcclark71 For the failover between Primary and Backup WAN connections use IP SLA and tracking, example.

Ensure DPD is enabled to clear the dead IKE/IPSec SAs

I assume this FTD is the hub for remote VPN connections? If so configure 2 VPN Topologies, one using the Primary interface and the other using the Backup interface.

If the peer devices are ASA/FTD, you can specify a primary peer IP and a backup peer IP in the crypto map configuration (ASA) or VPN topology (FTD).

View solution in original post

Rob Ingram · ‎10-06-2022

@keithcclark71 For the failover between Primary and Backup WAN connections use IP SLA and tracking, example.

Ensure DPD is enabled to clear the dead IKE/IPSec SAs

I assume this FTD is the hub for remote VPN connections? If so configure 2 VPN Topologies, one using the Primary interface and the other using the Backup interface.

If the peer devices are ASA/FTD, you can specify a primary peer IP and a backup peer IP in the crypto map configuration (ASA) or VPN topology (FTD).

keithcclark71 · ‎10-07-2022

That Example you linked to is great Rob. Thanks man