Hi Guys,
Got a task to design and implement active/active IPsec VPN tunnels from on-prem Cisco Firepower to Azure network.
Below is my little bit background information:
My local gateway device has two WAN uplinks, hence I am able to create two IPSec tunnels to Azure end - Azure gateway can have two public IP address when active/active mode enabled.
Two WAN uplinks on firepower are configured as primary/backup mode (we have changed Administrative Distance on secondary WAN default route to achieve that), hence my concern is when IPSEC Keep-alive SA travels, both tunnels SAs would go out via primary WAN interface as there is only one active default route on Firepower routing table. Therefore the secondary IPSEC keep-alive packets will have issues when reach to Azure secondary public address because when Firepower send those SA packets to Azure it won't use secondary WAN interface instead those traffic would go to Primary interface ?
Once we have got this IPSec tunnels setup. We would add VTI tunnel and BGP on top of it to advertise protected network from both sides, but I think those are not relevant to my concerns, so I have posted in the end.
Any help or suggestions are much appreciated and hope you guys all have a good day.
Thanks,
Bill
No comments:
Post a Comment