1 Answer
- Newest
- Most votes
- Most comments
1
Hi TJ,
Going by Cisco FTD documentation: https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/firepower_threat_defense_site_to_site_vpns.html#id_15287
If you have chosen point-to-point topology and only IKEv1, you can configure backup peer by entering the primary IP address and backup peer IP addresses separated by a comma.
Cisco documentation does not specify if IKEv2 can have a backup peer. Possible it is not supported.
Assuming you are using IKEv1 in active/passive mode, could you let us know what you see on the AWS side when you shut down tunnel 1 on Cisco?
- Does the aws tunnel 1 go down and tunnel 2 come UP? If Tunnel does not come UP, try enabling AWS Site-to-Site VPN logs and check for error messages : https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-logs.html
- If Tunnel 2 does come UP. Monitor the CloudWatch metrics for "TunnelDataIN" and "TunnelDataOut" for both tunnels when you perform the failover. Do you see traffic in either direction? https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-cloudwatch-vpn.html#metrics-dimensions-vpn
Feel free to respond and ask any additional clarifying questions and we'd be happy to answer.
Relevant content
- asked 4 months ago
- asked 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago