Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
95
Views
1
Helpful
1
Replies

FTD Static VTI with dynamic pub address as the tunnel source?

SIMMN
Spotlight
Spotlight

‎06-18-2025 09:16 AM

I have multiple remote sites which connect to local ISPs but can only use DHCP to get public IP addresses. I need to setup Hub-and-Spoke route-based VPN tunnels between remote sites and my primary DC; backup DC, for failover.

I configured two static VTIs per remote site FTD with unique IP addresses. I configured two hub-and-spoke VPN topologies: #1 for remote sites and primary DC; #2 for remote sites and backup DC. I use the static routes on remote site FTDs with different metrics to prefer the tunnel 1 over tunnel 2.

The configuration deployed and works just fine for the VPN tunnels between remote sites and primary DC. But when I tried to deploy the configuration for remote sites and backup DC, FMC prompts error, something like "VPN tunnel source and destination are using the same IP address" with no further detail... For testing, I changed DHCP to static IP for a site and deployment went through. Both tunnels are up and failover is good as well...

So I can not have the spoke sites's using tunnel source that is configured with DHCP/dynamic IP address? I have been searching v7.4 documents and can not find any reference of such limitation/restriction...Any ideas?

1 Reply 1

MHM Cisco World
VIP
VIP

‎06-18-2025 10:33 AM

Try below 

Two hub and spoke use LO as source.

In spoke config VTI p2p with primary and backup peer (two hubs).

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card