11-19-2020 11:29 AM
Question
Has anyone found a method to nail up an FTD to AWS VPN tunnel by using only the FTD device?
Challenges
What is anyone else using to keep the tunnel(s) nailed up? Thanks!
03-11-2021 07:38 PM
I am having the same issue. Running version 6.3
03-12-2021 12:21 AM
Hi @Hunter_G
IP SLA feature was added in 6.5
03-12-2021 09:00 AM
We are running FMC/FTD with AWS VPC VPN. The IP SLA feature is available in 6.3 on our GUI, with the 'requirement' to tie the SLA to a static route to track it (the only way to enable the SLA i've found).
I have tried this exact attempt (below) and was not able to keep the tunnel up (SLA would timeout as it wouldn't route to the VPN)
https://community.cisco.com/t5/network-security/configuring-ip-sla-monitor/td-p/3733032
I've also looked at other community posts and online blogs, but no results as of recent. AWS documentation does provide an FTD compatible configuration, however, unlike their ASA configuration, an SLA is not included with the AWS FTD steps.
We attempted reconfiguring the SLA and static route multiple times, choosing different source interfaces, different destinations, gateways, tried configuring crypto-maps to allow ANY local originating traffic to enter the tunnel - however the SLA would not work.
Our design is an IKEv1 tunnel to AWS, and the tunnel does come up when traffic is generated for it (by either packet-tracer or a server initiating traffic) - the tunnel configuration itself is fine, but the tunnel needs traffic to stay up.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: