Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
924
Views
3
Helpful
8
Replies

FTD ISP failover and DVTI

Isaac Lama
Level 1
Level 1

‎06-25-2024 07:44 PM

Hey Everyone, 
I have a new setup with FTDs and a CdFMC. CdFMC is on 7.4 and the firewalls are all on 7.3.1.

I'm trying to get ISP failover and VPN failover to work and it just doesn't seem to be working out. 

Right now I have a hub firewall in HA at a Datacenter that has one incoming ISP. I have a spoke with 2 ISPs. I have a DVTI Config on the hub with a primary and secondary VTI setup on the spoke. Traffic passes if I have a static route setup or if I enable "reverse route injection" enabled in the VPN Settings. I can't add a secondary route because the secondary route "cannot have the same destination gateway". This is the error I see. If the ISP Fails no traffic passes on the secondary tunnel. If I change the static route the traffic will pass. BGP is also not working for me as the neighbors never connect. 
Failover does seem to be working for ISP, however I cannot point an SLA outside of the network for a target. Pointing at the default gateway for the ISP is ok, but only if the device goes offline. Most of the time the problem is beyond the customer equipment so it's not accurate. 
Has anyone gotten this to work? 

Labels:
8 Replies 8

MHM Cisco World
VIP
VIP

‎06-26-2024 02:21 AM

sorry friend one by one
you use hub and spoke in FW 
this FW have dual ISP 


are above is correct ?

MHM

0 Helpful

Isaac Lama
Level 1
Level 1

‎06-26-2024 11:06 AM

Hi and thanks for the reply.  
Right now the Hub firewall is at our datacenter with the business critical systems behind it. It has one ISP. This firewall is in an HA pair. FPR1140 x 2 

I have a bunch of spokes but the setup is basically the same. An FPR1140 with 2 ISP at the main office spoke. And then FPR1010 at remote offices with 2 ISP. 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Isaac Lama

‎06-26-2024 04:23 PM - edited ‎06-27-2024 05:01 AM

I get better idea let me check it 

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎06-26-2024 04:28 PM - edited ‎06-27-2024 05:01 AM

thanks 

MHM

0 Helpful

Isaac Lama
Level 1
Level 1

‎07-10-2024 07:21 AM

Hey MHM, and anyone else for that matter... is this some kind of crazy request? I have had so much trouble getting this to work and not to badmouth TAC but it seems like they don't know how to do this either (maybe it's just the technician I have). 

MHM Cisco World
VIP
VIP
In response to Isaac Lama

‎07-10-2024 08:38 AM

It need some deep dive in topolgy' I will share my idea about solution.

Update you tonight 

MHM

0 Helpful

MHM Cisco World
VIP
VIP

‎07-13-2024 05:20 PM

Hi Friend 
check below topolgy design, the idea in is in spoke not config two VTI one primary and other backup but config two VTI run in same time and make other level (IGP or BGP) do control the traffic 
the Hub have two path to Internal Spoke via two VTI and prefer one will most prefer 
FW HA failover.png

Sorry for late reply

Thanks 

MHM

0 Helpful

Isaac Lama
Level 1
Level 1

‎08-09-2024 06:37 AM

Sorry For my late reply and thanks for helping me with this. It does look like it will work, let me test this out on one of my spokes and I will accept as a solution. Thanks again! 

Customers Also Viewed These Support Documents