07-05-2021 08:40 AM
Hi,
I working with FTD 6.7 and 7.0 (now called Cisco secure firewall). I noticed that I can do a VTI tunnel to a router, ASA, or other firewall (like Fortinet or PA) that does route based VPNs but when I try and configure a route based VPN tunnel between FTDs the tunnels come up but routing doesn't work at all (static or BGP). I've checked the route policy (try static first then BGP), ACP allows all traffic between the inside zone and my vti zone so traffic should work. I also noticed that BGP wouldn't come up on the VTI tunnels even though the tunnels were up.
Has anyone tried route based VPNs between FTDs and ran into the problem? It is definitely an issue when configuring route based VPN between two FTDs. I used the same configurations with a ISR router and had absolutely no issues (traffic flowing, tunnels connecting, and BGP coming up).
07-05-2021 11:39 AM
FTD not support VTI as I know may be new version will support it.
07-06-2021 06:43 AM
FTD does support VTI in 6.7 and 7.0 which are the versions I'm working with.
12-30-2021 08:19 AM
Was an answer found as to why the routing was not working?
02-02-2022 07:40 AM
I am running into exact same issue with latest 7.1 code on three FTDs and tunnels form, but no traffic. The configuration is all good. Tested the FTD to router and that worked.
02-02-2022 01:03 PM
Since my last post on this topic. I found that there was no issue with routing in my case. Instead, ping from the CLI for anything that isn’t physically directly attached is inconsistent and unreliable. I was able to verify that traffic successfully traverses the route based vpn tunnel by pinging from a host connected to the firewall. Also, packet-tracer command is to be used from the CLI of the FTD instead of ping. Lots of time wasted until that was discovered.
02-02-2022 01:40 PM
Thanks hopsJvines for sharing your findings. In my case, it was an issue with ACP. I had one going outbound, but also needed from far end network to local network (zones are set to any). I also had validated earlier by packet tracer from both ends and it was all pass, and that is why I missed ACP. So in my case, packet tracer output was not telling me that packers are being dropped because of FTD.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide