cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
653
Views
6
Helpful
7
Replies

FTD Route based VPN

N3om
Level 1
Level 1

Hi

I have created the VTI Interface for this but when I run packet tracer input the VTI I nterface is not in the list of available interfaces to use in packet tracer.??

Any ideas anyone 
Thanks

7 Replies 7

Wierd 

Anyway you can use Inside interface in packet tracer fer  and the route lookup must poiny to VTI

MHM

Hi
when I run packet tracer from inside to the subnet at the peer side in the results its ok it says inside to vti, but when i run in other direction I only see outside and inside interface, so i cant do packet tracer from vti to inside.??

Thanks

Yes, when I test policy based VPN I do two direction 

But since nameif of VTI is not appear in packet tracer you have only one direction test. 

But as You mentioned when you use Inside the packet tracer is all UP and allow so the  VTI is OK. 

Or Do you have issue in VTI and you need to test other direction?

MHM

Hello

The Customer are sending traffic but its not connecting and I dont see thier traffic in our connections gui. I wonder if there is a bug that causes Interface not to show in list ??

 

Thanks

Sorry the connection is drop or not showing in GUI?

MHM

Not showing 

@N3om the documentation is poor and does not explictly state you can or cannot specify a VTI as the input interface, but it does state that some packet-tracer functionality is not supported with route based VPN.

"It is possible to inject a decrypted packet in a VPN tunnel, which is generic and applicable for both IPSec and TLS. It is also possible to simulate a packet that comes across a VPN tunnel. The simulated ‘decrypted’ packet would be matched against an existing VPN tunnel and the associated tunnel policies would be applied. However, this functionality is not applicable for a route-based VPN tunnel."

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/pa-pn-commands.html#wp1614728796

I double checked a VTI I have access to and I cannot specify it as the source interface in packet-tracer either, so I would say you cannot.

 

Review Cisco Networking for a $25 gift card