01-23-2024 09:41 PM
Hello Team,
Need help configuring IP transit between my data centres. Below is the scenario.
ON DCA i have 2 FTDs in HA-physical, being managed by virtual FMC. The FTDs peer with ISP via BGP, advertising my /24 address. One of this /24 address, i use it to peer site-to-site vpns with my partners.
ON DCB i have 1 virtual FTD being managed by virtual FMC on DCA. Here i have peered with ISP who also advertised same /24 via BGP. I dont have any ipsec site-to-site VPNs here.
I wished to have a setup in place where the site-to-site /32 IP use to peer VPN with on DCA to be able to transit to DCB automatically, incase links/network in DCA is unreachable, and be transparent to my partners ie. i dont ask them to reconfigure their peer on VPN.
Kindly give me ideas, configuration if possible on how to achieve this.
01-23-2024 10:06 PM - edited 01-23-2024 10:07 PM
Hello @felix.mugambi
To enable automatic failover for your site-to-site VPN traffic from DCA to DCB, you could configure BGP peering on DCB to receive the /24 prefix from the ISP. Advertise a loopback interface with a /32 address on DCB and set up IP SLA on DCA to track the reachability of a specific IP. Modify the BGP configuration on DCA to conditionally advertise the /32 loopback IP from DCB based on the IP SLA status.
Ensure your site-to-site VPNs on DCA are configured to peer with the /32 loopback IP on DCB. When the IP SLA track detects a failure, BGP on DCA will stop advertising the /32 loopback IP, prompting automatic traffic rerouting to DCB without requiring partner reconfiguration.
01-23-2024 11:44 PM
And do i need to separate how I manage the two FTDs, or they can still be managed by the single FMC?
01-23-2024 10:13 PM
so this can not work if the /32 IP is on a physical Interface?
01-23-2024 10:17 PM
where does this loopback sit, which DC? "Ensure your site-to-site VPNs on DCA are configured to peer with the /32 loopback IP on DCB." and since already partners are peering to a /32 IP sitting in DCA, what does that mean for me, in your solution?
01-24-2024 12:27 AM
So you need s2s vpn as backup if ISP is down?
But as I get from your original post the vpn also use ISP' so if the ISP down the vpn will also down.
MHM
01-24-2024 01:07 AM
the VPN peer ip, the /32 is among the /24 advertised by ISP in DCA. ISP in DCB has advertised the /24 on DCB as well. Question was how i can transit the /32 between the DCs, incase any has an issue.
I would use AS pre-pend to manipulate primary and secondary but, how to move the /32 Peer IP is what am having a challenge to visualize..
01-24-2024 01:11 AM
I really don't follow you' if you can share topolgy to make clear.
Also we cab always use vti if we face routing issue with legacy IPSec VPN' did you think about VTI?
Thanks
MHM
01-24-2024 01:54 AM
01-24-2024 02:44 AM
you can use VTI between two FTD
using tunnel source and destination the IP of interface connect two site to SP. no need to use this overlapping subnet to build VPN.
MHM
01-24-2024 03:39 AM
the vpns in context here are to different partners, all mapped to device and IP on DCA. these are all up.
I need to know if this peer IP on DCA can be moved to DCB (transitted) using BGP advertisement concepts, that should DCA have issues the protocal moves the peer IP to DCB, this way partner will never know if DCA has an issue or vice-versa.
01-25-2024 06:52 AM
I think what you are looking for
you want IPsec when traffic change from DC-1 to DC-2 to keep up
I think this can not be happen you need stateful between FTD in both site to make all IPsec conn detail exchange
hence the other Peer dont detect the swap of IP between two DC.
I Hope I am correct here
MHM
01-29-2024 10:39 PM
there is the concept of AS prepend, where manually i would make DC1 preferreable, with best path since am advertising the /24 network, but how to make the /32 active on dc2 is where am not getting.
secondly does it mean i need a copy of ipsec configs on dc2 as they are on dc1?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide