Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
591
Views
2
Helpful
3
Replies

FTD w/FMC S2S vpn tunnel not working

gnguyen89
Level 1
Level 1

‎11-07-2023 02:12 PM

All, 

    I swapped out my old ASA with FTD using the same ip addresses for inside outside.  Since we are in the US and remote site is in Singapore.  Once the support person swaps out the ASA for the FTD I can still see the remote side network.  I can ping the gateway to the local network 10.28.100.1 I can ping the inside interface to the ftd which is 10.28.100.11, and I can ping/ssh to the management which is 10.28.100.5.  The problem is the FMC can no longer see the ftd once I switch it from the ASA so I no longer deploy anything.  When the ASA is connected back again I can manage the FTD through the management interface.  Any suggestions will be appreciated. Thank you.

0 Helpful
3 Replies 3

gajownik
Cisco Employee
Cisco Employee

‎11-09-2023 04:50 AM

If I understand you correctly you want to manage FTD via S2S tunnel that is terminated on the same FTD that you want to manage?
If yes this design is against best practices and and prone to errors leading to cutting of from the device. We had lots of cases in TAC where due to user misconfiguration or bug in software tunnel went down and without TAC assistance it was not possible to fix it (normal deployment is broken).

CSCwb41698 DOC BUG: add note to FMC Device Configuration Guide not to manage device over VPN tunnel
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb41698

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/policy_management.html#ID-2176-0000040d

"You can deploy the FMC policy configuration over a VPN tunnel, only if the deployment is for a device that does not terminate the tunnel. The FMC to Firepower Threat Defense management traffic should be its own secure transport SF tunnel and does not need to be over S2S VPN tunnel for any connectivity."

Your setup probably does not work due to missing "management-access" which depending on the FTD version might not work properly, but as I said it's not a proper design.

gnguyen89
Level 1
Level 1
In response to gajownik

‎11-13-2023 10:06 AM - edited ‎11-13-2023 10:14 AM

Thank you for the information that does make sense.  I am trying to find a solution to swapping out the ASAs (with Firepower 1 and 2) would the following work if I had another firepower tunnel going to London would I be able to send the management going to Houston over this tunnel and vice versa for the London management?  Or would you recommend not managing the firepower with the FMC but through the FTD locally instead?  I've attached a drawing for reference. 

Singapore_Firepower.PNG

0 Helpful

MHM Cisco World
VIP
VIP
In response to gnguyen89

‎11-18-2023 01:38 PM

So you need outside to be end of s2s vpn and in same time used for connect fpr to fmc (note new fpr accpet data interface to be mgmt interface so no need access mgmt).

This work but you need to make sure that in Singapore (FMC) site use NAT (to public) hence fpr in London and Houston can connect FMC directly without pass over s2s.

0 Helpful
Customers Also Viewed These Support Documents