Lab Topology
Firepower 7.4.1
Both NA and EU sites have two ISPs, in sake of simplicity, two routed based site-to-site VPN tunnels are configured, which are ISP1 <>ISP1, ISP2<>ISP2.
Best Practice is to create one topology which has backup VTI.
Alternately can create two topologies which do not use backup VTI.
For VPN failover, looks VPN DPD is sufficient to bring down vti causes VPN failover to backup tunnel, alternatively, we can setup vti interface path monitoring or using SLA,
With Path monitoring, it needs be configured on both side primary VTI interface.
FTD-NA:
FTD-EU
Test:
Before FTD-NA ISP1 is down:
After FTD-NA ISP1 is down
Alternatively, we can use SLA for VPN failover
Comments
Post a Comment