Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1364
Views
0
Helpful
6
Replies

Active Standby Site to Site VPN Firepower

SenglyHuot3269
Level 1
Level 1

‎10-31-2019 01:58 AM - edited ‎10-31-2019 01:59 AM

Hi team,

 

I want to know how to configure Active Standby site to site VPN. Not with 2 firepower in HA pair but 2 internet link in one firepower. With this 2 internet link one is primary with default route of metric 1 and the other is backup with metric 2. While i configure this only one VPN is up (with primary internet) and the other one is not. So would you all en light me on how to configure that. Notice that i use Firepower Management Center. Also, you can find the scenario in below picture. 

Labels:
Preview file
23 KB
0 Helpful
6 Replies 6

Marius Gunnerud
VIP
VIP

‎10-31-2019 02:30 AM

I would suggest configuring SLA tracking of the primary link and not just use metic.

The second VPN tunnel will never be up unless there is traffic passing over the VPN.  If there is no traffic the tunnel will time out and be torn down.  Only true way of testing this is to initiate a failover situation, i.e. link failure on the primary interface for the VPN.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

SenglyHuot3269
Level 1
Level 1
In response to Marius Gunnerud

‎10-31-2019 02:36 AM - edited ‎10-31-2019 02:37 AM

Yes i have done the SLA and also try to do the failover by disable the primary link but the second VPN tunnel never goes up. Also, it is difficult to see the log on firepower management center so i have no idea on what the error.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to SenglyHuot3269

‎10-31-2019 02:42 AM

Just disabling the link will not initiate a failover as that is a controlled / admin initiated command.  You will need to pull the cable connected to the primary interface.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

SenglyHuot3269
Level 1
Level 1
In response to Marius Gunnerud

‎10-31-2019 02:46 AM

Then what is SLA for if we need to pull the cable out. Also, the hardware is not near us, it is in the DC
0 Helpful

Marius Gunnerud
VIP
VIP
In response to SenglyHuot3269

‎10-31-2019 03:51 AM

Sorry, misread your post that you had configured SLA.

How have you configured your VPN? Are you using a backup peer or configured a whole new connection for the backup?  Could you post screenshots of your VPN configuration (remember to black-out any public IPs, passwords, etc.)?

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

SenglyHuot3269
Level 1
Level 1
In response to Marius Gunnerud

‎10-31-2019 05:41 PM

I have create 2 VPN by choosing Firepower Thread Defense Device, and both of them using point to point, with 2 difference public ip (Node A), and for Node B by choosing external device i configure the same publich IP of Palo Alto device of the other side.
0 Helpful
Customers Also Viewed These Support Documents