Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mogahlot
Staff
Staff

Created on ‎12-10-2025 07:40 AM

Article Id 422352

Troubleshooting Tip: VPN Site-to-Site tunnel Flapping Issue when 'Send Virtual Tunnel Interface IP to the peers' is enabled on Cisco FTD

Description This article describes how to resolve the VPN Site-to-Site tunnel flapping issue, which happens due to 'mode-cfg' config enabled on Cisco FTD.
Scope IPsec VPN, Cisco FTD.
Solution

During troubleshooting of a site-to-site VPN tunnel flap issue, it was observed that the peer device (Cisco FTD) is triggering Security Association (SA) deletion and re-initiating the tunnel establishment every 2 minutes.

 

This error appears when Cisco FTD has "Send Virtual Tunnel Interface IP to the peers" equivalent of "mode-cfg" option on FortiGate, causing re-transmits.

 

mode-cfg.png

 

Upon investigation confirmed that starting from version 7.3. In Cisco FTD, the option 'Send Virtual Tunnel Interface IP to the peers' is enabled by default in the IPsec configuration. This setting causes the device to send a 'mode-cfg' request, which is disabled on FortiGate by default and causes VPN flaps.

 

cisco ftd.png

 

Disabling 'Send virtual Tunnel Interface IP to the peers' under IPSec configuration on Cisco FTD resolves the issue with Site-to-Site VPN flaps.
120
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.