08-22-2017 07:58 AM - edited 03-12-2019 04:29 AM
Hello all,
We purchased the new Firepower 2110s and I'm working on converting the configs on our ASA 5510s running on 9.0(4) to the FTD platform.
Something I've noticed for one of our use-cases is that I can not specify multiple (2) peers for a specific tunnel like I could with the traditial ASAs. For example, we use Zscaler (cloud-based proxy service) and part of being in compliance with their SLA is to have 2 peers configured in case the primary goes down. It looked something like this:
crypto map outside_map 10 set peer Peer_address_1 Peer_address_2
Is there a solution for this that anyone knows of?
Regards,
Keith
08-22-2017 08:30 AM
Hi,
Cisco has an internal enhancement request to implement redundant peer for ikev1.
Right now, there is no option to configure redundant peer or multiple peers for same crypto map on FTD.
6.3 release may address this issue.
Regards,
Aditya
Please rate helpful and mark correct answers
08-22-2017 10:02 AM
Thanks Aditya, I appreciate the swift reply.
So it's not a given that 6.2.2 or 6.3 will support this? I have a feeling I'll be running into situations like this regularly with these new appliances. And to think, I considered our configuration to be pretty standard. </facepalm>
Is there any way I can follow this internal request or do I just have to hope, wait, and stalk the release notes as new versions of FTD are released?
Thanks,
Keith
07-18-2018 02:32 PM
Checking back in on this. Does FTD now have something in place for:
crypto map outside_map 10 set peer Peer_address_1 Peer_address_2
07-25-2018 07:26 AM
Refer this Bug for more info: CSCvg43238.It is fixed in 6.2.3
07-25-2018 07:34 AM
02-17-2020 05:09 AM
Add Primary IP followed by comma separated optional backup peer IP addresses.
This option is available from version 6.2.3 and above.
04-23-2020 05:09 PM
Feature implemented on FTD release 6.6: "You can now add a backup peer to a site-to-site VPN connection, for IKEv1 and IKEv2 point-to-point extranet and hub-and-spoke topologies. Previously, you could only configure backup peers for IKEv1 point-to-point topologies." Important to mention that this is available by FMC managed devices only.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide