10-13-2023 11:00 AM
Hi all,
I am running FMC 7.2.4 that manages a pair of 2140 FTDs used for dedicated VPN connections (remote access and site-to-site). Yesterday I made an attempt to configure a route-based VPN to AWS and mistakenly added the VTI to a security zone (VPN-Inside-Zone) that already has an interface assigned to it. I went to deploy my changes and the validation came back with several warnings and an error. Of course, and I can't remember if I had the option to, I did not proceed with deploying the changes in case it would've caused an issue with existing configurations; namely our remote access VPN. I decided to undo the changes I made in FMC which included deleting the route-based tunnel topology, deleting the VTI, and updating the ACP. Once this was done, I went to deploy my changes and received this error:
As you can see in this image, my dedicated VPN appliance only has 2 interfaces & 2 zones. There are other zones and interfaces managed by FMC but for a different firewall at another location:
The error seems to be complaining that my RADIUS server group has multiple interfaces assigned to it but that's not the case as you can only choose one interface if you're not routing for it and this server group is tied to one of my remote access VPN profiles. Seeing that I'm using posturing for it with ISE, I have to use dynamic authorization and choose an interface as the FMC will not allow me to use routing for it. Unfortunately, when I do this and attempt to deploy, I get the error in the first image above and I can't proceed with deploying the configuration. I don't understand why FMC is saying the VPN-Inside-Zone has multiple interfaces and I don't have any IGs configured for this device. I do have a workaround in place but has anyone else run into this issue? If so, what was done to resolve it? Also, is this a bug or did I perform a procedure that was not supposed to be done?
Thanks in advance!
Solved! Go to Solution.
01-22-2024 08:29 AM
Thanks. I actually opened a TAC case for this and the actual fix was the following:
- The script did not identify any duplicate interfaces
- We made a dummy edit on the mentioned security zone object and then the deployment began to work in security zone object
- deleted interface
- saved
-added same interface
- saved
10-15-2023 12:22 AM
- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv41975
M.
01-22-2024 08:29 AM
Thanks. I actually opened a TAC case for this and the actual fix was the following:
- The script did not identify any duplicate interfaces
- We made a dummy edit on the mentioned security zone object and then the deployment began to work in security zone object
- deleted interface
- saved
-added same interface
- saved
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide