Solved: VTI on ASA down/down Mode: invalid! IPsec profile: Not defined

Wan_Whisperer · ‎12-06-2020

Hi,

I am troubleshooting a VTI from an ASA to and IOS so I am starting with a non protected tunnel to rule out crypto. As you can see below the status and protocol are both down. I feel like this is because of "Mode: invalid! IPsec profile: Not defined" as seen below under the command #sho int tun88

NYC-ASA(config)# sho int ip b
Interface IP-Address OK? Method Status Protocol

Tunnel88 10.0.100.2 YES manual down down

NYC-ASA# sho int tun88
Interface Tunnel88 "VTI", is down, line protocol is down
Hardware is Virtual Tunnel MAC address N/A, MTU 1500
IP address 10.0.100.2, subnet mask 255.255.255.252
Tunnel Interface Information:
Source interface: Outside IP address: Removed.254
Destination IP address: X.X.X.1
Mode: invalid! IPsec profile: Not defined

NYC-ASA# sho run int tun88
interface Tunnel88
nameif VTI
ip address 10.0.100.2 255.255.255.252
tunnel source interface Outside
tunnel destination X.X.X.1

Thanks for the help.

Rob Ingram · ‎12-06-2020

Yes, because the ASA only supports an IPSec VTI, it does not support gre like an IOS router does.

Refer to this example to configure a VTI between an ASA and IOS router.

View solution in original post

Rob Ingram · ‎12-06-2020

@Wan_Whisperer

It doesn't look like you have an IPSec profile attached to the VTI. E.g.

crypto ipsec profile IPSEC_PROFILE
set ikev2 ipsec-proposal TSET

interface Tunnel0
 tunnel protection ipsec profile IPSEC_PROFILE

HTH

Wan_Whisperer · ‎12-06-2020

Thanks for the quick reply.

I do not want any protection. I will add that later.

Do I have to have tunnel protection for the tunnel to get tunnel up?

VR,

Rob Ingram · ‎12-06-2020

Yes, because the ASA only supports an IPSec VTI, it does not support gre like an IOS router does.

Refer to this example to configure a VTI between an ASA and IOS router.

Wan_Whisperer · ‎12-06-2020

Thanks Rob for always being here