AWS Site to Site VPN with Cisco FTD

Question

We are trying to create a VPN tunnel between our VPC and a customer running a Cisco FTD appliance. He is stating that Cisco doesn't recommend running two tunnels in wither Active\Active or Active\Passive. Not sure if the customer just isnt familiar enough with this device or... From what Ive read, it looks like it does support Active\Passive configuration to AWS. When he does get both tunnels working, it will only route out the initial one. I shut down the working tunnel and the redundant tunnel fails to route traffic either way. Does anyone have any experience with this? Thank you in advance.

Answer

Hi TJ,

Going by Cisco FTD documentation: https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/firepower_threat_defense_site_to_site_vpns.html#id_15287

>> If you have chosen point-to-point topology and only IKEv1, you can configure backup peer by entering the primary IP address and backup peer IP addresses separated by a comma.

Cisco documentation does not specify if IKEv2 can have a backup peer. Possible it is not supported.

Assuming you are using IKEv1 in active/passive mode, could you let us know what you see on the AWS side when you shut down tunnel 1 on Cisco?

1) Does the aws tunnel 1 go down and tunnel 2 come UP? If Tunnel does not come UP, try enabling AWS Site-to-Site VPN logs and check for error messages : https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-logs.html
2) If Tunnel 2 does come UP. Monitor the CloudWatch metrics for "TunnelDataIN" and "TunnelDataOut" for both tunnels when you perform the failover. Do you see traffic in either direction? https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-cloudwatch-vpn.html#metrics-dimensions-vpn

Feel free to respond and ask any additional clarifying questions and we'd be happy to answer.

AWS Site to Site VPN with Cisco FTD

Relevant content