Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
676
Views
4
Helpful
10
Replies

Site-to-Site VPN Failover - Firepower 1140 FDM SW: 7.3.1

Go to solution
M.S.88
Level 1
Level 1

‎01-17-2024 02:09 AM

 

Hi all,

I have configured Policy Based Site-to-Site VPN from from local network and outside (ISP1) interface to remote network, and it's working. I have configured Access COntrol and NAT policy, everything is working fine, but..

When ISP1 is down traffic is switched to ISP2, it's based on IP SLA, but tunnel not encrypt traffic.

in tunnel configuration i have selected two outside interfaces ISP1 and ISP2

marekszyc88_0-1705484629730.png

SLA and failover are working fine, when isp1 is down routing table is changing but tunnel doesn't reconnects, even when i manually clear session. Remote site is configured as dynamic (huawei)

Do you have any experience with this configuration?

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
M.S.88
Level 1
Level 1

‎01-23-2024 05:51 AM

Hi all,

thanks for questions and your time.
I tested it in the virtual environment and everything is working fine, when sla is down traffic is switched to ISP2 and tunnel works fine, so problem is not at configuration FDM but on remote side

 

View solution in original post

0 Helpful
10 Replies 10

Go to solution
MHM Cisco World
VIP
VIP

‎01-17-2024 02:19 AM

as I see you use static not dynamic for remote site ?

0 Helpful

Go to solution
M.S.88
Level 1
Level 1
In response to MHM Cisco World

‎01-17-2024 02:36 AM

For firepower remote site is configured as static (remote network has one ip address behind BGP)
remote site is configured as dynamic to allow tunnels from more then 1 ip

quick scheme:

 

marekszyc88_1-1705487765727.png

 

Go to solution
MHM Cisco World
VIP
VIP
In response to M.S.88

‎01-17-2024 02:52 AM

Did you add ISP2 outside interface as backup in fdm vpn ?

MHM

0 Helpful

Go to solution
M.S.88
Level 1
Level 1
In response to MHM Cisco World

‎01-17-2024 03:01 AM

yes, fdm looks like below:

marekszyc88_0-1705489236506.png

 

Go to solution
tvotna
Spotlight
Spotlight

‎01-17-2024 05:22 AM

This should work. Running config from FTD (or at least "show run crypto" + "show run nat") would be more helpful than a picture from FDM to begin with.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎01-17-2024 06:39 AM

NAT policy <<- are you add NO-NAT 
from INside Zone to OUTside1 Zone
froom INside Zone to OUTside2 Zone 

MHM

0 Helpful

Go to solution
Villager
Level 1
Level 1

‎01-17-2024 06:46 AM

i met like as issue with Azure. you want to get two tunnel active and standby, destination side is one side, or two side ? tunnel remote network is same subnet ? 

Go to solution
MHM Cisco World
VIP
VIP
In response to Villager

‎01-17-2024 07:49 AM

I ask him he confirm that Hawaii use dynamic 
also the FTD not encrypt  

so the traffic in FTD never hit the ACL 
MHM

0 Helpful

Go to solution
M.S.88
Level 1
Level 1

‎01-23-2024 05:51 AM

Hi all,

thanks for questions and your time.
I tested it in the virtual environment and everything is working fine, when sla is down traffic is switched to ISP2 and tunnel works fine, so problem is not at configuration FDM but on remote side

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to M.S.88

‎01-23-2024 05:58 AM

Thanks for update us

Glad issue is solved 

Have A nice day 

MHM

0 Helpful
Customers Also Viewed These Support Documents