Solved: Wan S2S Failover SLA ISP backup interface Private IP

keithcclark71 · ‎10-10-2022

Current topology for S2S is Mesh with 4 FTD members all Peered using Outside Public IP addresses. Two of these FTD's have secondary ISP interfaces designated as backup links configured within SLA. I want to add a new topology for the S2S tunnels to re-establish to the ISP Backup if primary ISP interface goes down. The problem I have is one of the FTD's that have the backup ISP interface is set to a private IP 192.168.0.167 with its gateway being a public IP address. How can I peer the S2S failover topology to have it work with a private ip addressed peer???

How would that even work? I am confused as this is how it is currently set up on their 5505 ASA's from which I am migrating from to firepower. I also don't see any hits on this interface rules which makes me wonder if it ever even worked in the current production environment or if the primary interface has never gone offline

Rob Ingram · ‎10-10-2022

@keithcclark71 you'd have to have the device in front of the FTD backup ISP interface translating the public IP address to the 192.168.0.167 address. If it's currently the backup interface, it could well be it's never been used before (or for a while), hence no hits. Best to test failover as part of the migration.

View solution in original post

Rob Ingram · ‎10-10-2022

@keithcclark71 you'd have to have the device in front of the FTD backup ISP interface translating the public IP address to the 192.168.0.167 address. If it's currently the backup interface, it could well be it's never been used before (or for a while), hence no hits. Best to test failover as part of the migration.