Enabling redundant gateway and configuring FQDN-based local authentication causes the Gateway NSD tunnel (IPSEC) with Symantec POP to experience flapping issues. This occurs because both the primary and secondary VCGs attempt to establish IPSEC tunnels with the Symantec POP primary and secondary nodes using the same FQDN.

Symantec POP rejects the redundant IPSEC tunnel attempts due to its inability to accept multiple IPSEC tunnels with the same FQDN. This limitation is specific to Symantec's configuration, resulting in frequent flapping of the IPSEC tunnels.

All SDWAN VCG software versions 

Disabling the redundant VCG tunnel configuration ensures that only the primary VCG will use the FQDN for local authentication. This prevents deployment of the secondary NSD VCG and avoids conflicts.

An enhancement request (#113685) has been raised to support unique FQDNs for primary and secondary VCGs.