Limitations for Virtual Tunnel Interfaces

VTIs do not support clustering.

VTI tunnel interfaces are not supported for SNMP or Syslog in Platform Settings.

Only 20 unique IPSec profiles are supported.

In policy-based routing, you can configure VTI only as an egress interface.

You cannot configure a VTI interface as a network interface for a remote access VPN policy.

Dynamic VTI does not support ECMP , VRF in multi-instance, Clustering, IKEv1, or QoS.

If a spoke has a dynamic IP address and a hub has a dynamic VTI behind a NAT, the tunnel status will be unknown.

For a dynamic extranet, when multiple spokes establish a connection, the site-to-site monitoring dashboard does not show the individual tunnels.

If you configure a hub with dynamic VTI behind NAT with dynamic spokes, the VPN monitoring data will not be accurate.

You cannot configure a VTI interface as a network interface for a remote access VPN policy.

Flow resiliency across tunnel failovers isn't supported. For example, the clear text TCP connection gets lost after a tunnel failover, and you need to reinitiate any FTP transfer that took place during the failover.

Certificate authentication isn't supported in backup VTI.