cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
configure & troubleshoot anyconnect
594
Views
0
Helpful
11
Replies
Beginner

Firepower FMC VPN - backup peer?

Does anyone know if it's possible to configure a backup peer with the firepower management center VPN configuration - ideally in full mesh topology

 

On ASA this would be configured on the crypto-map something like "crypto map outside_map 10 set peer 1.1.1.1 2.2.2.1"

 

It's really a big limitation of the product if we can only have a single internet connection in each site (or at least without using an additional router/DMVPN/etc), as I was hoping to keep the number of devices and complexity to a minimum

 

Thanks in advance

11 REPLIES 11
Rising star

Re: Firepower FMC VPN - backup peer?

I think there is no backup peer ip address. I have check my fmc for FTD. nope.

please do not forget to rate.
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Firepower FMC VPN - backup peer?

Hi,

What version are you running? This bug CSCvg43238 indicates it's fixed in 6.2.3

 

HTH

Rising star

Re: Firepower FMC VPN - backup peer?

Hi I am on 6.1.0

please do not forget to rate.
Beginner

Re: Firepower FMC VPN - backup peer?

I'm testing with 6.2.3,

 

Where would I configure this?

Rising star

Re: Firepower FMC VPN - backup peer?

try using the flex config

please do not forget to rate.
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Firepower FMC VPN - backup peer?

Hi,

See this link. It states for IKEv1, you can define a backup peer for point-to-point Extranet VPNs.

 

HTH

Beginner

Re: Firepower FMC VPN - backup peer?

Thanks for that, my understanding of Extranet device is that it should be used for devices that cannot be managed in FMC (but all my devices can be managed on FMC), is there a way to do this and still have them under FMC's management?

VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Firepower FMC VPN - backup peer?

There doesn't appear to be (that I am aware of) an elegant or obvious way of configuring this yet, for FTD's managed by the same FMC. Whether the previous suggestion of using FlexConfig to configure an additional peer works I dont know, as I have not tested.

HTH

Beginner

Re: Firepower FMC VPN - backup peer?

OK thanks, thats the conclusion i've come to as well, it's a real shame that FMC/FTD appears to be lacking these enterprise-level VPN features... I don't think many customers would be happy with being limited to a single WAN connection for their VPNs

 

I will have a look at FlexConfig but it already seems like a workaround that I wouldnt really be happy to put into production, my aim for my project is simplify our management and using additional scripts to fix missing functionality isn't helping that..

Rising star

Re: Firepower FMC VPN - backup peer?

Yes mate agree only option is flex config at the moment 

please do not forget to rate.
Highlighted
Beginner

Re: Firepower FMC VPN - backup peer?

In 6.2.3 and above, this feature is available.

 

In the peer definition, when you choose an Extranet device, you can supply two IP's separated by a comma, for the IP address.  This will define them as redundant peers for the same VPN.