Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
698
Views
0
Helpful
5
Replies

"Handling event from device" Then VPN goes down

jespada11
Level 1
Level 1

‎07-28-2025 06:20 AM

Hello, We have a policy-based VPN to a third party that randomly goes down briefly, but after it comes back up, we still lose messages for 15-20 minutes. Each side says they have no touched the config since it was created years ago. We got on a call and varied are settings matched.

Environment:

Virtual Cisco FTD in Azure
Managed by CDO (not on-premises FMC)
Multiple tunnels to same third-party (some locations fail, others don't simultaneously)

Symptoms:

Random failures (no time pattern - sometimes hours apart, sometimes days)
Tunnel goes down for less than a second, then comes back up
But messages are lost for 15-20 minutes after tunnel recovery
Logs show: "Handling event from device: [my FTD device ID]" followed by "reason => 'Lost Service'"

Question: How can I determine what specific event triggers the "Handling event" message? The logs don't show the root cause - just that my FTD initiated the teardown with generic reasons.

0 Helpful
5 Replies 5

MHM Cisco World
VIP
VIP

‎07-28-2025 06:24 AM

Sorry can you elaborate 

MHM

0 Helpful

jespada11
Level 1
Level 1
In response to MHM Cisco World

‎07-28-2025 07:05 AM

Elaborate in what way? What information do you need that you think is missing?

0 Helpful

jespada11
Level 1
Level 1
In response to MHM Cisco World

‎07-28-2025 12:28 PM

jespada11_1-1753730739722.png

I am trying to figure out if there is anything I can do to get more information on what the "Handling event from device" that is seen which is then followed by our VPN tunnel going down is and lost service. 

These are very generic and I cant get down to a fixable root cause. 

0 Helpful

MHM Cisco World
VIP
VIP
In response to jespada11

‎07-30-2025 09:13 AM

$$Handling event from device: [my FTD device ID]$$

This mean less' it only start of event' it appear in any event' like timestamp in log.

I need to know exact event.

Also you run VTI with zscaler?

VTI down only when tunnel source and/or tunnel destination is down.

MHM

0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni

‎07-31-2025 01:36 AM

as you running policy based vpn. could be the remote side have issue with internet connectivity? how many other vpn tunnel with this remote side you have?

as your FTD on clould unlikely your coluld haivng issues its more likely the remote end have something to do with.

have you asked the remote side to get the confirmation from there service provide there is no outrage?

"Lost Service" means when you lost the connection with remote vpn-tunnel.

you may configure the capture on your FTD at LINA. it might give you some where starting point to start looking where the problem is

Connnect to FTD cli

system support diagnostic-cli
!
capture ike_cap type isakmp interface outside match ip host 1.1.1.1 host 8.8.8.8

 I think you can do this from CDO too. But i have not used so no idea how to set this up.

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card