Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
151
Views
1
Helpful
2
Replies

FTD Multiple VPN Peers support for IKEv2

Chess Norris
Level 4
Level 4

‎06-11-2025 04:17 AM

Hello,

We previously had an IKEv1 VPN tunnel between a FTD 1140 and two ISR4431 routers, where we use the second routers IP address as a backup in the crypto map.

We recently changed those tunnels from IKEv1 to IKEv2, but we have issues with the backup peer if the tunnel between the FTD and router1 fails.

Before, router 2 would take over if router 1 is down, but this doesn't seems to work now. 

I saw an old bug regarding no multiple VPN Peers support for IKEv2 here https://bst.cisco.com/bugsearch/bug/CSCvc02308?rfs=qvlogin 

This bug is really old, but is it still not possible to use a backup peer in FTD? We are running version 7.6

Thanks

/Chess

 

Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎06-11-2025 04:41 AM

@Chess Norris I assume you've configure the backup peer as an extranet device? Is DPD configured to bring down the tunnel if failed?

The preferred method for VPN is to use a route based VPN, which supports a backup VTI. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config-76/vpn-s2s.html#Cisco_Reference.dita_73dac582-5114-4643-9536-fc4e2de1f1c4

 

Chess Norris
Level 4
Level 4
In response to Rob Ingram

‎06-11-2025 05:00 AM

Hello Rob,

Yes, both primary and backup peer is configured as extranet devices and isakmp keepalive is enabled.

I will take a look at route based VPN options. We might switch over to that if we cannot get the policy based VPN working with backup peer or check with TAC if it suppose to work or not. 

/Chess

 

0 Helpful
Customers Also Viewed These Support Documents