Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3661
Views
0
Helpful
12
Replies

Firepower FMC VPN - backup peer?

mhmservice
Level 1
Level 1

‎01-08-2019 05:07 AM - edited ‎03-12-2019 05:33 AM

Does anyone know if it's possible to configure a backup peer with the firepower management center VPN configuration - ideally in full mesh topology

 

On ASA this would be configured on the crypto-map something like "crypto map outside_map 10 set peer 1.1.1.1 2.2.2.1"

 

It's really a big limitation of the product if we can only have a single internet connection in each site (or at least without using an additional router/DMVPN/etc), as I was hoping to keep the number of devices and complexity to a minimum

 

Thanks in advance

Labels:
0 Helpful
12 Replies 12

Sheraz.Salim
VIP
VIP

‎01-08-2019 05:32 AM

I think there is no backup peer ip address. I have check my fmc for FTD. nope.

please do not forget to rate.
0 Helpful

Rob Ingram
VIP
VIP

‎01-08-2019 06:20 AM

Hi,

What version are you running? This bug CSCvg43238 indicates it's fixed in 6.2.3

 

HTH

0 Helpful

Sheraz.Salim
VIP
VIP
In response to Rob Ingram

‎01-08-2019 06:22 AM

Hi I am on 6.1.0

please do not forget to rate.
0 Helpful

mhmservice
Level 1
Level 1
In response to Rob Ingram

‎01-08-2019 07:07 AM

I'm testing with 6.2.3,

 

Where would I configure this?

0 Helpful

Sheraz.Salim
VIP
VIP
In response to mhmservice

‎01-08-2019 07:32 AM - edited ‎01-08-2019 07:32 AM

try using the flex config

please do not forget to rate.
0 Helpful

Rob Ingram
VIP
VIP
In response to mhmservice

‎01-08-2019 08:00 AM

Hi,

See this link. It states for IKEv1, you can define a backup peer for point-to-point Extranet VPNs.

 

HTH

0 Helpful

mhmservice
Level 1
Level 1
In response to Rob Ingram

‎01-08-2019 08:09 AM

Thanks for that, my understanding of Extranet device is that it should be used for devices that cannot be managed in FMC (but all my devices can be managed on FMC), is there a way to do this and still have them under FMC's management?

0 Helpful

Rob Ingram
VIP
VIP
In response to mhmservice

‎01-08-2019 08:18 AM - edited ‎01-08-2019 08:23 AM

There doesn't appear to be (that I am aware of) an elegant or obvious way of configuring this yet, for FTD's managed by the same FMC. Whether the previous suggestion of using FlexConfig to configure an additional peer works I dont know, as I have not tested.

HTH

0 Helpful

mhmservice
Level 1
Level 1
In response to Rob Ingram

‎01-08-2019 08:30 AM

OK thanks, thats the conclusion i've come to as well, it's a real shame that FMC/FTD appears to be lacking these enterprise-level VPN features... I don't think many customers would be happy with being limited to a single WAN connection for their VPNs

 

I will have a look at FlexConfig but it already seems like a workaround that I wouldnt really be happy to put into production, my aim for my project is simplify our management and using additional scripts to fix missing functionality isn't helping that..

0 Helpful

Sheraz.Salim
VIP
VIP
In response to mhmservice

‎01-08-2019 08:49 AM

Yes mate agree only option is flex config at the moment 

please do not forget to rate.
0 Helpful

DeSimoneD
Level 1
Level 1
In response to mhmservice

‎06-09-2019 09:40 AM

In 6.2.3 and above, this feature is available.

 

In the peer definition, when you choose an Extranet device, you can supply two IP's separated by a comma, for the IP address.  This will define them as redundant peers for the same VPN.

 

0 Helpful

malecona
Level 1
Level 1

‎10-03-2023 05:01 PM

Hola , su equivalente en FMC es crear 2 túneles con la misma configuración , donde en cada uno de los 2 túneles solo va a variar la interface  outside que uses , ejemplo uno lo creas con la outside1 y el otro con la outside2 .

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents