Troubleshooting Tip: VPN Site-to-Site tunnel Flapping Issue when 'Send Virtual Tunnel Interface IP to the peers' is enabled on Cisco FTD
| Description | This article describes how to resolve the VPN Site-to-Site tunnel flapping issue, which happens due to 'mode-cfg' config enabled on Cisco FTD. |
| Scope | IPsec VPN, Cisco FTD. |
| Solution | During troubleshooting of a site-to-site VPN tunnel flap issue, it was observed that the peer device (Cisco FTD) is triggering Security Association (SA) deletion and re-initiating the tunnel establishment every 2 minutes.
This error appears when Cisco FTD has "Send Virtual Tunnel Interface IP to the peers" equivalent of "mode-cfg" option on FortiGate, causing re-transmits.
Upon investigation confirmed that starting from version 7.3. In Cisco FTD, the option 'Send Virtual Tunnel Interface IP to the peers' is enabled by default in the IPsec configuration. This setting causes the device to send a 'mode-cfg' request, which is disabled on FortiGate by default and causes VPN flaps.
Disabling 'Send virtual Tunnel Interface IP to the peers' under IPSec configuration on Cisco FTD resolves the issue with Site-to-Site VPN flaps. |
