Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4630
Views
6
Helpful
7
Replies

S2S VPN multiple peers for FTD 2110 using FMC

Keith Miller
Level 1
Level 1

‎08-22-2017 07:58 AM - edited ‎03-12-2019 04:29 AM

Hello all,

 

We purchased the new Firepower 2110s and I'm working on converting the configs on our ASA 5510s running on 9.0(4) to the FTD platform.

 

Something I've noticed for one of our use-cases is that I can not specify multiple (2) peers for a specific tunnel like I could with the traditial ASAs. For example, we use Zscaler (cloud-based proxy service) and part of being in compliance with their SLA is to have 2 peers configured in case the primary goes down. It looked something like this:

 

crypto map outside_map 10 set peer Peer_address_1 Peer_address_2

 

Is there a solution for this that anyone knows of?

 

Regards,
Keith

Labels:
0 Helpful
7 Replies 7

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎08-22-2017 08:30 AM

Hi,

 

Cisco has an internal enhancement request to implement redundant peer for ikev1.

 

Right now, there is no option to configure redundant peer or multiple peers for same crypto map on FTD.

 

6.3 release may address this issue.

 

Regards,

Aditya

Please rate helpful and mark correct answers

Keith Miller
Level 1
Level 1
In response to Aditya Ganjoo

‎08-22-2017 10:02 AM

Thanks Aditya, I appreciate the swift reply.

 

So it's not a given that 6.2.2 or 6.3 will support this? I have a feeling I'll be running into situations like this regularly with these new appliances. And to think, I considered our configuration to be pretty standard. </facepalm>

 

Is there any way I can follow this internal request or do I just have to hope, wait, and stalk the release notes as new versions of FTD are released?

 

Thanks,

Keith

0 Helpful

ropauljr
Level 1
Level 1
In response to Keith Miller

‎07-18-2018 02:32 PM

Checking back in on this. Does FTD now have something in place for:

crypto map outside_map 10 set peer Peer_address_1 Peer_address_2

0 Helpful

dhgoel
Cisco Employee
Cisco Employee
In response to ropauljr

‎07-25-2018 07:26 AM

Refer this Bug for more info: CSCvg43238.It is fixed in 6.2.3

0 Helpful

ropauljr
Level 1
Level 1
In response to dhgoel

‎07-25-2018 07:34 AM

Thanks @dhgoel !!!
0 Helpful

nihalsalim
Level 1
Level 1
In response to dhgoel

‎02-17-2020 05:09 AM

Add Primary IP followed by comma separated optional backup peer IP addresses.

This option is available from version 6.2.3 and above.Capture.PNG

0 Helpful

Flavio Costa
Cisco Employee
Cisco Employee

‎04-23-2020 05:09 PM

Feature implemented on FTD release 6.6: "You can now add a backup peer to a site-to-site VPN connection, for IKEv1 and IKEv2 point-to-point extranet and hub-and-spoke topologies. Previously, you could only configure backup peers for IKEv1 point-to-point topologies." Important to mention that this is available by FMC managed devices only.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/relnotes/firepower-release-notes-660/features.html

0 Helpful
Customers Also Viewed These Support Documents