Showing results for 
Search instead for 
Did you mean: 

FMC - site 2 site vpn extranet invalid endpoint configuration error


Hi guys,


i'm trying to add a new subnet  in a working vpn from my FMC (6.6.1 (build 91).) to an external device using the extranet field, once i've inserted the new subnet and clicked save, i'm promped the error as below, what can i do to solve it?

i haven't found any bug or other discussion with this issue.




 thank you

7 Replies 7

Rob Ingram
VIP Master VIP Master
VIP Master


Can't say I've seen that message before. Change the Node A and B around, put the Extranet as a Node B and the FMC managed FTD as Node A. This is the way I normally I do it and I do not have this error message.

Hi Rob,


i receive that error while trying to add a new subnet to the existing vpn.



Oh ok, so it's already setup and working then?

Which version and patch level, have you checked for bugs?

Obviously you've modified the screenshot, but the Device Name is the public IP address? Have you tried just defining a name/description, then define the public ip address under the IP address field.


sorry Rob, my mistake, i've added the correct screenshot, both name and ip address are configured as usual, i've always added new subnet with no issues, this the fist time i receive that error and yes the vpn is working from 2 weeks.

the version is 6.6.1 (build 91) and i haven't found any bug at the moment.


I have the below error too when trying to setup a site to site VPN on FTD running version 6.6.5:






Hopefully if you are still having this issue you monitor the thread as I have ran into the same problem and after beating my head against my desk for some time the solution came to me. In my situation the issue was not with the Extranet node/side but instead the other. On the other node/side there is a checkbox under the IP Address which in my case was checked called "This IP is Private" and under that was the public IP address of our device manually entered. I unchecked "This IP is Private" which removed the manual entry and I was immediately allowed to save my other configuration modifications that I was making. 

Hello James,

That was also the cause on my side. I had assumed that since the FTD was behind NAT I needed to the select the "This IP is Private" option. After reviewing the Cisco documentation, there was a note indicating that this option should be left unselected if the remote device is an Extranet device.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers