Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
945
Views
6
Helpful
7
Replies

FTD Route based VPN

N3om
Level 1
Level 1

‎05-10-2024 01:09 AM

Hi

I have created the VTI Interface for this but when I run packet tracer input the VTI I nterface is not in the list of available interfaces to use in packet tracer.??

Any ideas anyone 
Thanks

7 Replies 7

MHM Cisco World
VIP
VIP

‎05-10-2024 01:48 AM

Wierd 

Anyway you can use Inside interface in packet tracer fer  and the route lookup must poiny to VTI

MHM

N3om
Level 1
Level 1
In response to MHM Cisco World

‎05-10-2024 01:52 AM

Hi
when I run packet tracer from inside to the subnet at the peer side in the results its ok it says inside to vti, but when i run in other direction I only see outside and inside interface, so i cant do packet tracer from vti to inside.??

Thanks

MHM Cisco World
VIP
VIP
In response to N3om

‎05-10-2024 01:57 AM

Yes, when I test policy based VPN I do two direction 

But since nameif of VTI is not appear in packet tracer you have only one direction test. 

But as You mentioned when you use Inside the packet tracer is all UP and allow so the  VTI is OK. 

Or Do you have issue in VTI and you need to test other direction?

MHM

N3om
Level 1
Level 1
In response to MHM Cisco World

‎05-10-2024 03:32 AM

Hello

The Customer are sending traffic but its not connecting and I dont see thier traffic in our connections gui. I wonder if there is a bug that causes Interface not to show in list ??

 

Thanks

MHM Cisco World
VIP
VIP
In response to N3om

‎05-10-2024 03:37 AM

Sorry the connection is drop or not showing in GUI?

MHM

N3om
Level 1
Level 1
In response to MHM Cisco World

‎05-10-2024 04:04 AM

Not showing 

0 Helpful

Rob Ingram
VIP
VIP

‎05-10-2024 05:01 AM

@N3om the documentation is poor and does not explictly state you can or cannot specify a VTI as the input interface, but it does state that some packet-tracer functionality is not supported with route based VPN.

"It is possible to inject a decrypted packet in a VPN tunnel, which is generic and applicable for both IPSec and TLS. It is also possible to simulate a packet that comes across a VPN tunnel. The simulated ‘decrypted’ packet would be matched against an existing VPN tunnel and the associated tunnel policies would be applied. However, this functionality is not applicable for a route-based VPN tunnel."

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/pa-pn-commands.html#wp1614728796

I double checked a VTI I have access to and I cannot specify it as the source interface in packet-tracer either, so I would say you cannot.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top