Symptom
DefaultL2LGroup ipsec-attributes information is overwritten when adding a new DVTI to the hub FTD/ASA.
Conditions
Have an existing DVTI with active spoke connections. Applying an additional DVTI to the hub FTD deployed via FMC. Or applying an additional DVTI to the hub ASA via CLI configuration.
BEFORE deployment of additional DVTI:
FTD72# more system:running-config | beg tunnel-group DefaultL2LGroup
tunnel-group DefaultL2LGroup general-attributes
default-group-policy .DefaultS2SGroupPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
virtual-template 1
ikev2 remote-authentication pre-shared-key cisco
ikev2 local-authentication pre-shared-key cisco
ikev2 route set interface
AFTER deployment of additional DVTI:
FTD72# more system:running-config | beg tunnel-group
tunnel-group DefaultL2LGroup general-attributes
default-group-policy .DefaultS2SGroupPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
virtual-template 2
ikev2 remote-authentication pre-shared-key cisco123!
ikev2 local-authentication pre-shared-key cisco123!
ikev2 route set interface
The issue is the additional DVTI causes the ipsec-attributes in the DefaultL2LGroup to be overwritten. Causing the virtual-template and PSK to change with each additional DVTI deployment. This causes each previous working DVTI to become unusable.
Workaround
Do not use more than one DVTI on the hub device
Further Problem Description
