Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1698
Views
6
Helpful
17
Replies

FTD VTI tunnels limit

Go to solution
NUSFETLEN
Level 1
Level 1

‎05-18-2023 03:00 PM

I use FTD (FPR1010) for VTI tunnels to remote sites. When I have 10 tunnels, they are all stable, however, as soon as I add new tunnel it works but flopping periodically. As more new tunnels are added, they flop more frequently. At the same time, the original 10 tunnels are still stable (only new tunnels are flopping). It looks weird to me. Does the FPR1010 have a limit on number of VTI tunnels? Should I switch to the next version (FPR1012) to have more than 10 tunnels (actually I need around 50 tunnels from the FTD)? With ASA 5506 I could have around 25 VTI tunnels without any issue.

0 Helpful
17 Replies 17

Go to solution
Sheraz.Salim
VIP
VIP
In response to NUSFETLEN

‎05-22-2023 12:58 PM - edited ‎05-22-2023 01:02 PM

does this VTI flap happens on both FTD units or its only happen to your side of FTD? (if you have access to Both FTD run the below command on both FTD/s as it will give more insight details to us)

even after upgrading the software does not fix the issue in that cause next step is we need to collection some debug from your side of the FTD unit. If i remember the issue is at your side (apologies for that).

 

you need to SSH into the FTD command line. once you in the command line. To enter Privileged EXEC mode use system support diagnostic -cli command. once in there. follow these command and display the output here. Ideally, we need to understand what causing this issue.

 

 

debug crypto condition peer X.X.X.X  (Public IP address of the remote FTD)
debug crypto ikev2 platform 255
debug crypto ikev2 protocol 255
debug crypto ipsec
!
capture VTI type ikv2 interface outside match ip host x.x.x.x host y.y.y.y

 

 

The capture VTI as mentioned above you can configure these capture from the FMC that would be more better and easily off-load on to the wireshark.

 

 

(Note:I assume you running IKEV2?)

please do not forget to rate.

Go to solution
NUSFETLEN
Level 1
Level 1

‎05-27-2023 11:52 AM

I've found a fix of the problem. For each tunnel with FTD at the far end, I've added a unique Local Identity Configuration Key ID. After that all tunnels are Up and stable. It seems the reason was that IP address of each remote FTD's outside interface behind NAT is the same on all remote FTDs, and each FDT uses this IP address as ID by default. This explains why only one tunnel at a time was up for about 20 seconds until another tunnel with the same ID was coming Up.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎05-27-2023 12:21 PM

happy ending in end
have a nice day 
MHM 

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card