01-08-2019 05:07 AM - edited 03-12-2019 05:33 AM
Does anyone know if it's possible to configure a backup peer with the firepower management center VPN configuration - ideally in full mesh topology
On ASA this would be configured on the crypto-map something like "crypto map outside_map 10 set peer 1.1.1.1 2.2.2.1"
It's really a big limitation of the product if we can only have a single internet connection in each site (or at least without using an additional router/DMVPN/etc), as I was hoping to keep the number of devices and complexity to a minimum
Thanks in advance
01-08-2019 05:32 AM
I think there is no backup peer ip address. I have check my fmc for FTD. nope.
01-08-2019 06:20 AM
01-08-2019 06:22 AM
Hi I am on 6.1.0
01-08-2019 07:07 AM
I'm testing with 6.2.3,
Where would I configure this?
01-08-2019 07:32 AM - edited 01-08-2019 07:32 AM
try using the flex config
01-08-2019 08:00 AM
Hi,
See this link. It states for IKEv1, you can define a backup peer for point-to-point Extranet VPNs.
HTH
01-08-2019 08:09 AM
Thanks for that, my understanding of Extranet device is that it should be used for devices that cannot be managed in FMC (but all my devices can be managed on FMC), is there a way to do this and still have them under FMC's management?
01-08-2019 08:18 AM - edited 01-08-2019 08:23 AM
There doesn't appear to be (that I am aware of) an elegant or obvious way of configuring this yet, for FTD's managed by the same FMC. Whether the previous suggestion of using FlexConfig to configure an additional peer works I dont know, as I have not tested.
HTH
01-08-2019 08:30 AM
OK thanks, thats the conclusion i've come to as well, it's a real shame that FMC/FTD appears to be lacking these enterprise-level VPN features... I don't think many customers would be happy with being limited to a single WAN connection for their VPNs
I will have a look at FlexConfig but it already seems like a workaround that I wouldnt really be happy to put into production, my aim for my project is simplify our management and using additional scripts to fix missing functionality isn't helping that..
01-08-2019 08:49 AM
Yes mate agree only option is flex config at the moment
06-09-2019 09:40 AM
In 6.2.3 and above, this feature is available.
In the peer definition, when you choose an Extranet device, you can supply two IP's separated by a comma, for the IP address. This will define them as redundant peers for the same VPN.
10-03-2023 05:01 PM
Hola , su equivalente en FMC es crear 2 túneles con la misma configuración , donde en cada uno de los 2 túneles solo va a variar la interface outside que uses , ejemplo uno lo creas con la outside1 y el otro con la outside2 .
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: