FTD Site to Site VPN Disconnection

dcanady55 · ‎05-01-2023

Hello,

FTD 2110 on 7.3. using route based site to site VPN.

I recently created a few site-to-site VPNs with a third party. We have some alerting setup to monitor the public IP of those tunnels, and over the weekend there were a fair number of disconnection notices. I discovered all my down logs occurred right before the 8 hour mark. From what I read, 8 hours is the default timer before phase 2 tears down the tunnel. Shouldn't the tunnels try and renegotiate before this timer stays up, and can I modify this timer somehow?

Thanks,

MHM Cisco World · ‎05-01-2023

Sorry you have two route-based VPN, and config BGP now what issue exactly ?

dcanady55 · ‎05-01-2023

Sorry for the confusion, but the site-to-site VPNs are route-based, and I am using BGP to help control the routing to and from these tunnels. I wasn't sure BGP information was relevant, but it's new to me, so maybe there's something I can leverage around BGP to help monitor the tunnels.

MHM Cisco World · ‎05-01-2023

the primary VPN must have LP higher than the backup.
BGP must establish over two route-based VPN tunnel
the FPR will use primary and when it down it will use backup.

dcanady55 · ‎05-02-2023

Hello MHM,

I am aware of what you posted. I'm not inquiring about anything BGP-related as the backup works fine, but I'm still monitoring each tunnel, and I'm trying to determine from the logs if possible which end of the tunnel had issues resulting in failure. I'm also trying to understand why there's no log message for when the tunnel comes back online.

thanks