topic Re: Cisco FTD 2130 - drops all VTIs tunnel to different remote sites. in Network Security

Cisco FTD 2130 - drops all VTIs tunnel to different remote sites.

alonso2352 — Thu, 08 Feb 2024 21:30:04 GMT

Hi guys, I have this issue for a long time now. We have two pair of FTDs in HA in two different DCs. We have VTIs setup in both HA pairs going to each remote site. This case have been with Cisco TAC for a long time and we still not get to the real problem. What could cause all BGP neightbors to reset at the same time. I'm thinking a hardware problem or BGP table just flaps randomly. I'm happy to share any outputs or config. Also two of the VTIs are going to Azure.

Re: Cisco FTD 2130 - drops all VTIs tunnel to different remote sites.

tvotna — Fri, 09 Feb 2024 16:10:19 GMT

To say something we at least need topology diagram, configuration fragment with BGP and tunnel interfaces in place (replace all public IPs there with something like 192.0.2.x or x.1.2.3) and syslog from the time of the flap to understand whether BGP flaps on its own or IPSec tunnel flap brings down BGP.

Re: Cisco FTD 2130 - drops all VTIs tunnel to different remote sites.

Marius Gunnerud — Sat, 10 Feb 2024 23:37:27 GMT

We would need more information on how your VTI and BGP is setup, and preferably provide the configuration for review.

The times when I have seen similar issues is when BGP is advertising the public interface IP to the remote side over the VTI tunnel. So, be sure that you are filtering out the public IP from being advertised via BGP.

Re: Cisco FTD 2130 - drops all VTIs tunnel to different remote sites.

MHM Cisco World — Sun, 11 Feb 2024 10:44:56 GMT

The VTI tunnel is down when and only when the tunnel source is down and/or tunnel destination is not reachable.

Your case maybe related to routing issue' that the tunnel destination reachable via tunnel itself (via bgp)

So check prefix learn from bgp and tunnel destination' there is overlapping in supernet ?

MHM