Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2257
Views
20
Helpful
6
Replies

FTD VTI Tunnels

donald.heslop1
Level 1
Level 1

‎07-05-2021 08:40 AM

Hi,

I working with FTD 6.7 and 7.0 (now called Cisco secure firewall). I noticed that I can do a VTI tunnel to a router, ASA, or other firewall (like Fortinet or PA) that does route based VPNs but when I try and configure a route based VPN tunnel between FTDs the tunnels come up but routing doesn't work at all (static or BGP). I've checked the route policy (try static first then BGP), ACP allows all traffic between the inside zone and my vti zone so traffic should work. I also noticed that BGP wouldn't come up on the VTI tunnels even though the tunnels were up.

 

Has anyone tried route based VPNs between FTDs and ran into the problem? It is definitely an issue when configuring route based VPN between two FTDs. I used the same configurations with a ISR router and had absolutely no issues (traffic flowing, tunnels connecting, and BGP coming up).

1 person had this problem
Labels:
6 Replies 6

MHM Cisco World
VIP
VIP

‎07-05-2021 11:39 AM

FTD not support VTI as I know may be new version will support it.

0 Helpful

donald.heslop1
Level 1
Level 1
In response to MHM Cisco World

‎07-06-2021 06:43 AM

FTD does support VTI in 6.7 and 7.0 which are the versions I'm working with.

0 Helpful

hopsJvines
Level 1
Level 1

‎12-30-2021 08:19 AM

Was an answer found as to why the routing was not working? 

0 Helpful

Devinder Sharma
Level 1
Level 1

‎02-02-2022 07:40 AM

I am running into exact same issue with latest 7.1 code on three FTDs and tunnels form, but no traffic. The configuration is all good. Tested the FTD to router and that worked.

hopsJvines
Level 1
Level 1

‎02-02-2022 01:03 PM

Since my last post on this topic. I found that there was no issue with routing in my case. Instead, ping from the CLI for anything that isn’t physically directly attached is inconsistent and unreliable. I was able to verify that traffic successfully traverses the route based vpn tunnel by pinging from a host connected to the firewall. Also, packet-tracer command is to be used from the CLI of the FTD instead of ping. Lots of time wasted until that was discovered.

Devinder Sharma
Level 1
Level 1

‎02-02-2022 01:40 PM

Thanks hopsJvines for sharing your findings. In my case, it was an issue with ACP. I had one going outbound, but also needed from far end network to local network (zones are set to any). I also had validated earlier by packet tracer from both ends and it was all pass, and that is why I missed ACP. So in my case, packet tracer output was not telling me that packers are being dropped because of FTD.

Customers Also Viewed These Support Documents