Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
662
Views
5
Helpful
5
Replies

FMC site-to-site VPN

dhacking
Level 1
Level 1

‎07-03-2022 07:12 PM

Hi all,

Recently my company has acquired some a few Firepower 1120 security appliances and a firepower management VM for use at our various branch offices.

I am trying to configure a route-based site-to-site IPsec tunnel between a pair of them within the FMC and am having no luck.

 

The problem is that when attempting to save the VPN configuration, I am given the following error:

"Both peers have different tunnel source IP versions configured for
their interfaces.

One peer has been configured with an IPv4 tunnel source and the
other peer has been configured with an IPv6 tunnel source.

Select both interfaces so that the IP versions of the tunnel source
interfaces match on both peers."

 

I'm not sure what the cause of this error is, as it's clear that both tunnel source interfaces have been assigned an IPv4 address.

 

A couple of things to note:

Both firewalls are assigned a static address via DHCP

The remote firewall is managed remotely via the outside interface. Not sure if this is a possible issue since i've noticed that I cannot select the outside interface as a source for the VTI unless FMC management is temporarily disabled

IPv6 is disabled on the outside interface of both firewalls

Pretty new to these so apologies for any ignorance. Not sure if i've just missed something obvious or there is something else going on.

 

Regards
Dan

0 Helpful
5 Replies 5

MHM Cisco World
VIP
VIP

‎07-03-2022 07:57 PM

check the ip get from SP via dhcp is it ipv6 or ipv4?

0 Helpful

dhacking
Level 1
Level 1
In response to MHM Cisco World

‎07-03-2022 08:14 PM

Hi,

both Firewalls have received an IPv4 address and IPv6 is disabled on both outside interfaces

regards

0 Helpful

Marius Gunnerud
VIP
VIP

‎07-04-2022 12:05 AM - edited ‎07-05-2022 05:30 AM

Is the configured IP on the device that is sending with a source of IPv6 a private IPv4 address?  might be that the ISP is NATing you to an IPv6 address.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

dhacking
Level 1
Level 1

‎07-04-2022 12:26 AM

Hi all,

I have spoken to Cisco TAC support and it turns out this may be a bug:

https://bst.cisco.com/bugsearch/bug/CSCwb87279

 

Turns out the FMC/FTDs do not support dynamic VTIs so I will look at changing these over to static addresses and then see how I go

Thanks for all the responses

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to dhacking

‎07-04-2022 08:07 AM

Thanks for sharing the bug details. That's good to know even though it doesn't resolve the issue.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card