Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3190
Views
15
Helpful
10
Replies

Cisco FTD 1120 using FDM- HA IPSEC VPN using two separate ISPs

Go to solution
Davion Stewart
Level 1
Level 1

‎03-11-2022 08:07 AM

Good day, 

 

Running FTD code 6.7.0.2-24 on two FTD 1120s in HA (active/standby). 

 

Potential design is to have a primary IPsec tunnel connect from the FTDs to multiple sites. 

The secondary link is there as a backup connection in the event of failure of the primary.  

If the primary ISP does go down, then VPNs come up on the secondary ISP connection. 

 

When trying to configure the VPN using the secondary ISP, the FTD gives an error indicating that duplicate remote peer ip address is foundthe remote peer has to be unique for the VPN configuration.


Is there a way to do the HA configuration or this a limitation of the FTD FDM setup?

I also know that backup peers can be configured using the API explorer but this is only if the remote side has 2 remote IP addresses to connect, correct?

Preview file
14 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Davion Stewart

‎03-11-2022 10:56 AM

@Davion Stewart you can add multiple local VPN access interfaces (outside interfaces) without having to define a backup peer.

 

1.PNG

 

If you define multiple local VPN access interfaces and a backup peer, you'd should be able to establish a VPN from both your outside interfaces (assuming route failover is configured) to both the primary and backup peer IP addresses.

View solution in original post

10 Replies 10

Go to solution
Rob Ingram
VIP
VIP

‎03-11-2022 09:16 AM

@Davion Stewart when you create the connection profile, you can select multiple interfaces (you can on 7.1 anyway). This will enable crypto on both outside interfaces, you would need to use IP SLA and tracking to failover to the second ISP upon failure of the first.

0 Helpful

Go to solution
Davion Stewart
Level 1
Level 1
In response to Rob Ingram

‎03-11-2022 10:44 AM

Thanks Rob, didn't recognize that version 7.1 allowed you to configure that. 

 

Based on the Configuration guide, is it that when you add a remote backup peer, the configuration then allows you add another local VPN access interface in the event the backup peer is reachable through a different interface or can you add another local VPN access interface without adding a backup peer?

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Davion Stewart

‎03-11-2022 10:56 AM

@Davion Stewart you can add multiple local VPN access interfaces (outside interfaces) without having to define a backup peer.

 

1.PNG

 

If you define multiple local VPN access interfaces and a backup peer, you'd should be able to establish a VPN from both your outside interfaces (assuming route failover is configured) to both the primary and backup peer IP addresses.

Go to solution
Davion Stewart
Level 1
Level 1
In response to Rob Ingram

‎03-11-2022 11:13 AM

Ahh beautiful, @Rob Ingram  exactly what I wanted to see. I was going to ask for a screenshot in my last reply but i said lemme wait. 
Thanks for the confirmation of how it works. 

 

One more thing concerning the last part of your statement. With two outside interfaces and two backup peers configured, VPNs can be formed over both in what ways? The scenarios assume that both sides have two outside interfaces.

 

There is:

local primary to remote primary

local primary to remote secondary (backup peer)

local secondary to remote primary

local secondary to remote secondary (backup peer)

 

Yes, I understand that route failover via IP SLA will need to be configured. Also, I suppose DPD will need to be configured properly on both sides so that the initial VPN can be torn down.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Davion Stewart

‎03-11-2022 11:28 AM - edited ‎03-11-2022 11:35 AM

@Davion Stewart the scenario doesn't necessarily assume the remote peer has 2 outside interfaces, the backup peer could be another VPN device.

 

All traffic from the local FTD would be routed via ISP1 to remote primary until remote primary failure, then failover to remote backup peer. If local FTD ISP1 fails, SLA/tracking changes default routing via ISP2, VPN is established to remote peer, if remote peer failure failover to remote backup peer.

 

DPD is enabled by default on FDM, no way to change it for a L2L VPN.

 

tunnel-group 1.1.1.1 ipsec-attributes
 no ikev1 pre-shared-key
 peer-id-validate req
 no chain
 no ikev1 trust-point
 isakmp keepalive threshold 10 retry 2

Go to solution
Davion Stewart
Level 1
Level 1
In response to Rob Ingram

‎03-11-2022 12:54 PM

Thanks for the info @Rob Ingram . Really appreciate it. 

 

Will let you know how it works out.

0 Helpful

Go to solution
engineer467
Level 1
Level 1
In response to Rob Ingram

‎08-18-2022 08:15 AM

Hi Rob,

How can I add two remote peer IPs in version 7.0.1-84?

I tried finding it in API Explorer but no luck.

Preview file
42 KB
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to engineer467

‎08-18-2022 09:05 AM - edited ‎08-18-2022 09:06 AM

@engineer467 a backup VPN peer is avaiable to be configured in the GUI from FDM 7.1. https://www.cisco.com/c/en/us/td/docs/security/firepower/710/relnotes/firepower-release-notes-710/features.html1111.png

 

Go to solution
engineer467
Level 1
Level 1
In response to Rob Ingram

‎08-18-2022 09:17 AM

Wished there was a way to do it in 7.0.1.

Anyways, thanks always, Rob.

0 Helpful

Go to solution
Sam Mouseli
Level 1
Level 1

‎02-11-2023 12:03 AM

Here is the link to the Cisco bug document that mentions to be able to create a backup tunnel leaving through a backup VPN interface on FDM (not managed by FMC), the minimum release that supports this feature is 7.1.0.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt06355

HTH!

0 Helpful
Customers Also Viewed These Support Documents