06-02-2022 09:48 AM
Hi everyone,
i have a problem with my site to site vpn after i have split the traffic of my inside interface to pass through 2 outside interfaces of my FTD. Only outside2 can communicate to the peer and outside1 cannot. The weird thing is that the peer device which is ASA can ping all subnets inside my LAN even if i already split the traffice of my FTD using PBR via FlexConfig, i am using FMC for my FTD and ASDM for my ASA
I tried creating 2 S2S VPN config for each outside interface but still only 1 can get through.
06-02-2022 09:59 AM
one FTD with two ISP - one ASA one ISP ? are this is your config ?
06-02-2022 10:05 AM
Yes sir thats correct.
i tried adding the 2 ip address in the tunnel group in ASA it says ikev2 does not allow multi peer which is odd for me.
06-02-2022 10:14 AM - edited 06-02-2022 10:16 AM
so ASA build only one IPSec to FTD other IPSec VPN will never be UP and use.
so can you try VTI instead of IPSec.
06-02-2022 07:24 PM - edited 06-02-2022 07:25 PM
do you mean i will configure policy based crypto map to outside1 and route based VTI to outside2 and also on the ASA side?
06-02-2022 02:46 PM - edited 06-02-2022 02:53 PM
ASA does not support the IKEv2 tunnel with multiple peer there is enchancement request Cisco CSCud22276
if you want to have two tunnels in that case you can lower down to IKEv1 with strong encryption (Phase1 and Phase2).
VTI FTD is supported on-wared Version 6.7. However there are so many bugs in 6.7 so the recommand version is 7.0.x. I have no idea which FTD/FMC version you on.
EDIT: Correction. Just found Cisco As of ASA version 9.14 this feature is now supported on IKEv2. Multi-peer crypto map allows the configuration of up to a maximum of 10 peer addresses Here and Here
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide