cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
271
Views
4
Helpful
4
Replies

Two VTI tunnels; traffic replies going out on the wrong tunnel

steven-charles
Level 1
Level 1

stevencharles_1-1732767781537.png

 

I have a remote office with two active VTI tunnels for redundancy, each tunnel connecting to a different datacenter.  EIGRP is running on everything (remote router and both FTD firewalls).

If ISP 1 is down, everything works via ISP 2.  Meaning I can still ping both server A and server B.
Vice versa if ISP 2 is down, I can also still ping both server A and server B.

The problem is when both ISPs are UP.  When EIGRP does its thing, the routing table on the remote router has both networks for server A & B advertised over tunnel 1.  When the remote office tries ping server B, it does not reply.  What happens is that server B does get the request (verified by packet capture), BUT it's sending the response out tunnel 2 (which was not the original source of the request and gets dropped by the firewall).

Is there a way to make sure the response goes back the same way the request came in?  Alternatively, if there's a way to only enable tunnel 2 on the remote router if tunnel 1 is down, that could be another solution.

1 Accepted Solution

Accepted Solutions