FTD to ASA Route-based VPNs with Dual ISPs to Single ISP

james-santo · ‎11-12-2024

Dual ISP I have a primary site with a pair of C-3110 FTDs, both connected to dual 5Gb DIA circuits. We have about 12 remote sites, all of which have single ISP and ASA 5516s as edge firewalls.

We current have a single Ikev2 route-based VPN between FTD/ISP1 to each site. I've been tasked with adding a secondary tunnel to each remote site over the secondary ISP. I see a couple of potential issues with this concept and was hoping to get answers to the following questions:

1) On the FTDs, the default route goes through ISP1, so essentially all VPN peer IPs use that route. I could use static routes over the second ISP but cant do that to the same peer IP for sites that only have one ISP. Would ECMP or IP SLA be needed here? The goal is to have all tunnels connected at all times, but second best scenario would be a failover tunnel that connects when the primary ISP is down.

2) On the ASA side, single ISP this should not be an issue, so can I set the ASA as the VPN initiator, and would that hold the path on the FTD side between the two ISPs, or is there a potential asymmetric routing scenario?

3I'm sure here's more to ask but I'll leave it here for now.

Thanks in advance!

Rob Ingram · ‎11-12-2024

@james-santo yes, configure IP SLA for the ISP failover, for the default route. https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/220636-configure-dual-isp-failover-for-ftd-mana.htm

ECMP for the default route over both ISP links could be an option also. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/routing-ecmp.html

From the VPN, run a dVTI on the FTD and a sVTI on the ASA's, use a dynamic routing protocol over the tunnel's and configure to prefer one tunnel over the other, so routing i symmetrical. https://secure.cisco.com/secure-firewall/v7.3/docs/dynamic-virtual-template-interface-dvti