IP SLA Blacklisted - FTD

bmurphree@myemma.com · ‎11-19-2020

Question

Has anyone found a method to nail up an FTD to AWS VPN tunnel by using only the FTD device?

Challenges

AWS Site-to-Site VPN doesn't support child tunnels.
Idle-timeout is no longer configured, I don't believe, aside from key lifetimes (but not on the FTD).
Cisco has blacklisted ip sla monitor as a means to keep the tunnel up bu ICMP echo, the very technique AWS recommends.

What is anyone else using to keep the tunnel(s) nailed up? Thanks!

RFC 1925

Hunter_G · ‎03-11-2021

I am having the same issue. Running version 6.3

Rob Ingram · ‎03-12-2021

Hi @Hunter_G

IP SLA feature was added in 6.5

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/relnotes/firepower-release-notes-650/features.html

Hunter_G · ‎03-12-2021

We are running FMC/FTD with AWS VPC VPN. The IP SLA feature is available in 6.3 on our GUI, with the 'requirement' to tie the SLA to a static route to track it (the only way to enable the SLA i've found).

I have tried this exact attempt (below) and was not able to keep the tunnel up (SLA would timeout as it wouldn't route to the VPN)

https://community.cisco.com/t5/network-security/configuring-ip-sla-monitor/td-p/3733032

I've also looked at other community posts and online blogs, but no results as of recent. AWS documentation does provide an FTD compatible configuration, however, unlike their ASA configuration, an SLA is not included with the AWS FTD steps.

We attempted reconfiguring the SLA and static route multiple times, choosing different source interfaces, different destinations, gateways, tried configuring crypto-maps to allow ANY local originating traffic to enter the tunnel - however the SLA would not work.

Our design is an IKEv1 tunnel to AWS, and the tunnel does come up when traffic is generated for it (by either packet-tracer or a server initiating traffic) - the tunnel configuration itself is fine, but the tunnel needs traffic to stay up.