Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1039
Views
15
Helpful
4
Replies

Cisco Firepower Threat Defense FTD auto failover

Go to solution
majilimb
Level 1
Level 1

‎12-30-2020 12:22 AM

Hello community

 

am new on using cisco firepower FTD NGFW, i want to configure two ISP links for auto failover on  l2l VPN tunnels

 

current am using only one ISP link and needs to add other ISP for redundant, anyone who has implemented this please advise

 

device Model : Cisco Firepower 2110 Threat Defense (77) Version 6.4

 

Thank you. 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎12-30-2020 12:29 AM

@majilimb 

Configure IP SLA and tracking as per this example. Then on the hub firewall configure 2 crypto map configurations. On the remote peer you will need to define both IP addresses of your ISP link (primary and secondary). In the event the first ISP link goes down, on the hub the IP SLA will remove the default route, add the new route via the secondary ISP link. The spoke router will attempt determine the first peer is no longer reachable and attempt to connect to the secondary ISP link as defined in the configuration. Ensure Dead Peer Detection (DPD) is configured to detect the VPN is down.

View solution in original post

Go to solution
majilimb
Level 1
Level 1
In response to Rob Ingram

‎12-30-2020 01:04 AM

@Rob Ingram Thank you, am working on it. 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎12-30-2020 12:29 AM

@majilimb 

Configure IP SLA and tracking as per this example. Then on the hub firewall configure 2 crypto map configurations. On the remote peer you will need to define both IP addresses of your ISP link (primary and secondary). In the event the first ISP link goes down, on the hub the IP SLA will remove the default route, add the new route via the secondary ISP link. The spoke router will attempt determine the first peer is no longer reachable and attempt to connect to the secondary ISP link as defined in the configuration. Ensure Dead Peer Detection (DPD) is configured to detect the VPN is down.

Go to solution
majilimb
Level 1
Level 1
In response to Rob Ingram

‎12-30-2020 01:04 AM

@Rob Ingram Thank you, am working on it. 

0 Helpful

Go to solution
majilimb
Level 1
Level 1
In response to majilimb

‎12-30-2020 02:26 AM

IP SLA features are missing on my firepower devices, possibly license issue, what are the procedure of getting license for this functionality to work. 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎12-30-2020 02:32 AM

Not a license issue, but it looks like you'll have to upgrade as IP SLA feature was only added to FTD from version 6.5. Consider upgrading to 6.6.1 as this is currently the gold star recommended version.

 

Reference here

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/relnotes/firepower-release-notes-650/features.html

Customers Also Viewed These Support Documents