09-17-2024 12:15 AM
Looking for some clarity please around the failover of a s2s VPN terminated on a FTD 9300 Cluster.
Cisco Secure Firewall Management Center Device Configuration Guide, 7.2 - Clustering for the Firepower 4100/9300 [Cisco Secure Firewall Management Center] - Cisco - The FMC configuration guide states:
"VPN functionality is limited to the control unit and does not take advantage of the cluster high availability capabilities. If the control unit fails, all existing VPN connections are lost, and VPN users will see a disruption in service. When a new control unit is elected, you must reestablish the VPN connections."
So my question is - what happens in the real world when the Control node fails - the other node in the cluster should become the active Control node after 3 keepalives are lost.... So shouldn't the S2S VPN come up on the new active Control node? Expected outage of around XY seconds?
Thank you.
Solved! Go to Solution.
09-22-2024 11:55 AM - edited 09-22-2024 11:56 AM
09-20-2024 09:27 AM
I think the doc. Is not considering use ipsec keepalive that why you need to reestablish vpn connect.
MHM
09-22-2024 11:55 AM - edited 09-22-2024 11:56 AM
09-23-2024 01:11 AM
Thank you @Sheraz.Salim. This also aligns with a discussion i had with an SE also.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide