Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
157
Views
2
Helpful
3
Replies

backup VPN tunnels on FTD

Go to solution
tato386
Level 6
Level 6

‎10-04-2024 10:17 AM

I am looking for some guidance on setting up backup peers and tunnels using FTD/FMC.  I have one site with a single ISP and a 2nd site that has two ISPs.  The second site is not doing load-balancing.  It is using a primary/secondary using IP SLA to switch default route to secondary connection as needed.  Previously I was using ASA and it was fairly straight forward to add two peers to site with single ISP and apply crypto map to both interfaces at other side.  

However, FMC VPN GUI is a bit different, and it is tunnel focused rather than device focused.  It doesn't allow me to add a 2nd node to my current point-to-point setup.  I am thinking (and hoping) maybe it's as simple as adding a 2nd point-to-point using the second interface of the site with two ISPs?  In this config I worry about the tunnel bouncing to different ISPs since I don't see how I would define primary and backup tunnels.

There is also hub and spoke and VTI options.  Are those better suited for my use case?

TIA,

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎10-05-2024 12:07 PM

@tato386 if you wish to use a Policy Based VPN on the FMC/FTD with two devices managed by the same FMC you cannot configure the devices as backup peers. You must configure one of peer devices in the topology as an extranet device. 

Else use a Route Based VPN and you can configure a Backup VTI - https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/vpn-s2s.html#Cisco_Reference.dita_73dac582-5114-4643-9536-fc4e2de1f1c4

FYI, the VPN Load Balancing functionality mention is relevant only to RAVPN not L2L VPN.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
MHM Cisco World
VIP
VIP

‎10-04-2024 10:31 AM - edited ‎10-05-2024 04:32 PM

You can in ASA add multi peers under same crypto map this also can be d9ne in ftd 

download.png

 in ftd you can add primary peer IP ' backup peer IP

Check this 

MHM

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-04-2024 10:33 AM

I am thinking you need seperate the traffic between tunnel and failover when other tunnel fails. But this can only be done where you have 2 ISP, the risk still on the end have only 1 ISP.

You can also do some traffic engineering using any IGP or PBR

May be try below guide :

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/730/management-center-device-config-73/vpn-s2s.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Rob Ingram
VIP
VIP

‎10-05-2024 12:07 PM

@tato386 if you wish to use a Policy Based VPN on the FMC/FTD with two devices managed by the same FMC you cannot configure the devices as backup peers. You must configure one of peer devices in the topology as an extranet device. 

Else use a Route Based VPN and you can configure a Backup VTI - https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/vpn-s2s.html#Cisco_Reference.dita_73dac582-5114-4643-9536-fc4e2de1f1c4

FYI, the VPN Load Balancing functionality mention is relevant only to RAVPN not L2L VPN.

0 Helpful
Customers Also Viewed These Support Documents