cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2711
Views
15
Helpful
10
Replies

Cisco FTD 1120 using FDM- HA IPSEC VPN using two separate ISPs

Davion Stewart
Beginner
Beginner

Good day, 

 

Running FTD code 6.7.0.2-24 on two FTD 1120s in HA (active/standby). 

 

Potential design is to have a primary IPsec tunnel connect from the FTDs to multiple sites. 

The secondary link is there as a backup connection in the event of failure of the primary.  

If the primary ISP does go down, then VPNs come up on the secondary ISP connection. 

 

When trying to configure the VPN using the secondary ISP, the FTD gives an error indicating that duplicate remote peer ip address is foundthe remote peer has to be unique for the VPN configuration.


Is there a way to do the HA configuration or this a limitation of the FTD FDM setup?

I also know that backup peers can be configured using the API explorer but this is only if the remote side has 2 remote IP addresses to connect, correct?

1 Accepted Solution

Accepted Solutions

@Davion Stewart you can add multiple local VPN access interfaces (outside interfaces) without having to define a backup peer.

 

1.PNG

 

If you define multiple local VPN access interfaces and a backup peer, you'd should be able to establish a VPN from both your outside interfaces (assuming route failover is configured) to both the primary and backup peer IP addresses.

View solution in original post

10 Replies 10

@Davion Stewart when you create the connection profile, you can select multiple interfaces (you can on 7.1 anyway). This will enable crypto on both outside interfaces, you would need to use IP SLA and tracking to failover to the second ISP upon failure of the first.

Thanks Rob, didn't recognize that version 7.1 allowed you to configure that. 

 

Based on the Configuration guide, is it that when you add a remote backup peer, the configuration then allows you add another local VPN access interface in the event the backup peer is reachable through a different interface or can you add another local VPN access interface without adding a backup peer?

 

@Davion Stewart you can add multiple local VPN access interfaces (outside interfaces) without having to define a backup peer.

 

1.PNG

 

If you define multiple local VPN access interfaces and a backup peer, you'd should be able to establish a VPN from both your outside interfaces (assuming route failover is configured) to both the primary and backup peer IP addresses.

Ahh beautiful, @Rob Ingram  exactly what I wanted to see. I was going to ask for a screenshot in my last reply but i said lemme wait. 
Thanks for the confirmation of how it works. 

 

One more thing concerning the last part of your statement. With two outside interfaces and two backup peers configured, VPNs can be formed over both in what ways? The scenarios assume that both sides have two outside interfaces.

 

There is:

local primary to remote primary

local primary to remote secondary (backup peer)

local secondary to remote primary

local secondary to remote secondary (backup peer)

 

Yes, I understand that route failover via IP SLA will need to be configured. Also, I suppose DPD will need to be configured properly on both sides so that the initial VPN can be torn down.

@Davion Stewart the scenario doesn't necessarily assume the remote peer has 2 outside interfaces, the backup peer could be another VPN device.

 

All traffic from the local FTD would be routed via ISP1 to remote primary until remote primary failure, then failover to remote backup peer. If local FTD ISP1 fails, SLA/tracking changes default routing via ISP2, VPN is established to remote peer, if remote peer failure failover to remote backup peer.

 

DPD is enabled by default on FDM, no way to change it for a L2L VPN.

 

tunnel-group 1.1.1.1 ipsec-attributes
no ikev1 pre-shared-key
peer-id-validate req
no chain
no ikev1 trust-point
isakmp keepalive threshold 10 retry 2

Thanks for the info @Rob Ingram . Really appreciate it. 

 

Will let you know how it works out.

Hi Rob,

How can I add two remote peer IPs in version 7.0.1-84?

I tried finding it in API Explorer but no luck.

Wished there was a way to do it in 7.0.1.

Anyways, thanks always, Rob.

Sam Mouseli
Beginner
Beginner

Here is the link to the Cisco bug document that mentions to be able to create a backup tunnel leaving through a backup VPN interface on FDM (not managed by FMC), the minimum release that supports this feature is 7.1.0.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt06355

HTH!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: