Solved: FMC Deployment Failed - IPSec Site-to-Site VPN - Config Error

Agustin Ciciliani · ‎08-27-2025

Hi Team,

I've configured Route Based IPSec Site-to-Site VPN according to the guide: Configure Route Based Site to Site VPN Tunnel on FTD Managed by FMC - Cisco

When I deploy the config, I'm getting the following error:

Refer to the following troubleshooting information when contacting Cisco TAC.

Lina messages
FMC >> clear configuration session
FMC >> strong-encryption-disable
FMC >> no dp-tcp-proxy
FMC >> crypto ikev2 policy 1
FMC >> encryption AES-256
FTDv1 >> error :
encryption AES-256
^
ERROR: % Invalid input detected at '^' marker.
Config Error -- encryption AES-256

Other logs

Lina config ROLLBACK failure log
Lina configuration application failure. Error in lina apply phase due to Config Error response from LINA

Rollback skipped as Lina and SNORT are in sync
Write mem executed as Lina and SNORT are in sync

Lina write mem operation successful
Note:Deployment is successful in Control Node/Active unit. Deployment is skipped/incomplete on Data nodes due to one of the

I've tried with an IKEv1 policy and it fails as well.

Any ideas welcome!

MHM Cisco World · ‎08-27-2025

Strong encrypt is need license which is free from cisco and available in FTD

But there are some bug about fmc push this feature disable to ftd' this with use AES-256 is prevent VPN from be active.

So as workaround use other cipher like aes-128 and open TAC' it can bug.

MHM

View solution in original post

MHM Cisco World · ‎08-27-2025

FMC >> strong-encryption-disable

You use AES-256 and strong encrypt is disable' you need to enable it

MHM

MHM Cisco World · ‎08-27-2025

As workaround use AES-128

And open TAC

MHM

Agustin Ciciliani · ‎08-27-2025

Looks like doesn´t like it either..

I'll keep playing a little bit more to see if I can find a combo that works. And I'll keep TAC option as well. Thanks for your help!

Refer to the following troubleshooting information when contacting Cisco TAC.

Lina messages
FMC >> clear configuration session
FMC >> strong-encryption-disable
FMC >> no dp-tcp-proxy
FMC >> crypto ikev2 policy 1
FMC >> encryption AES
FTDv1 >> error :
encryption AES
^
ERROR: % Invalid input detected at '^' marker.
Config Error -- encryption AES

Other logs

Lina config ROLLBACK failure log
Lina configuration application failure. Error in lina apply phase due to Config Error response from LINA

MHM Cisco World · ‎08-27-2025

What is ftd and fmc ver?

MHM

Agustin Ciciliani · ‎08-27-2025

Version 7.4.2 (Build 172)

Agustin Ciciliani · ‎08-27-2025

Thanks much for that quick reply!! Double checked my config and I'm still wondering what´s the FMC option/config that ends up adding that config statement (strong-encryption-disable)..?
Is it dependent on how I create IKEv2 policy?

This is how my IKEv2 policy looks like:

MHM Cisco World · ‎08-27-2025

Strong encrypt is need license which is free from cisco and available in FTD

But there are some bug about fmc push this feature disable to ftd' this with use AES-256 is prevent VPN from be active.

So as workaround use other cipher like aes-128 and open TAC' it can bug.

MHM

Agustin Ciciliani · ‎08-27-2025

Confirmed, if I use weakest option (Encryption DES, do not tell security team! It's a lab environment anyways!!) config gets pushed.. AES (my understading is that it´s the 128 option) also fails, so looks like it´s also considered as part of the strong group.

Thanks again!

MHM Cisco World · ‎08-27-2025

You are so welcome

MHM