Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6818
Views
5
Helpful
15
Replies

VPN Failover on FTDs

donald.heslop1
Level 1
Level 1

‎06-27-2019 07:42 AM - edited ‎02-21-2020 09:14 AM

Has anyone gotten VPN failover to work on Cisco FTDs (not ASAs with backup peers)? Here's the scenario, we are trying to setup two FTD 2100s in a HA pair for failover of not only the Internet but for S2S and RA-VPNs as well. So far we can get the Internet failover to work but when it comes to VPNs the FTD won't switch over to the backup VPN setup. I noticed that even though the Internet did fall over to the backup circuit the VPN with still saying go out of the primary interface.

 

So I completely ripped out the VPN policy, deploy, recreate the VPN policy to use the backup interface, and redeployed to the FTD. Routing table now says route traffic destined for the remote lan using the VPN which is now tied to the backup interface. You would think traffic should work right?

 

Wrong. Traffic will not work (I configured NAT and the ACP to match the original VPN that was working on the primary interface). I do a packet tracer and it allows the traffic but when I ping from one machine to a machine in the remote office, no traffic.

 

Then I rebuilt everything back to the primary interface and no traffic on the VPN. So now even though I rebuilt everything I have no VPN whatsoever.

 

Has anyone got failover VPN to work on FTDs without manual intervention? I'm seconds away from telling my Director to stop selling these things and go to PA.

Labels:
0 Helpful
15 Replies 15

donald.heslop1
Level 1
Level 1
In response to will.schroeder

‎04-07-2020 07:13 AM

will

Thanks for the reply. Unfortunately that doesn't address the original problem I'm having with adding a backup interface to the site to site vpn configuration. Adding a secondary peer is a good feature for IKev2 but currently you have to use flexconfig to config crypto on the secondary (backup) interface.

Basically it is the crypto ikev2 enable {backup interface} command that you would used on the ASA. At least that is what TAC told me. I haven't tested it out yet though.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card