Will a FTD firewall remove a RRI created static route for a L2L destination (protected network) if that tunnel’s SAs tear down? I am looking to configure automated fail-over for an entity that has two separate VPN Hubs in different locations. I think it could be done easily with setting multiple peers and originate-only on the remote end and setting the Hubs to answer-only if RRI would not create the static routes on the secondary if the SAs were not built.
Currently we do not support dynamic route addition for static crypto maps on FTD.
Refer this bug:
Do Rate the helpful Posts!
Is RRI on the roadmap anywhere? It would be nice to be able to have the routes pulled should the SAs to the primary VPN head-end be torn down. I just don't feel like you get that kind of granularity with IP SLA.