Hi,
I am troubleshooting a VTI from an ASA to and IOS so I am starting with a non protected tunnel to rule out crypto. As you can see below the status and protocol are both down. I feel like this is because of "Mode: invalid! IPsec profile: Not defined" as seen below under the command #sho int tun88
NYC-ASA(config)# sho int ip b
Interface IP-Address OK? Method Status Protocol
Tunnel88 10.0.100.2 YES manual down down
NYC-ASA# sho int tun88
Interface Tunnel88 "VTI", is down, line protocol is down
Hardware is Virtual Tunnel MAC address N/A, MTU 1500
IP address 10.0.100.2, subnet mask 255.255.255.252
Tunnel Interface Information:
Source interface: Outside IP address: Removed.254
Destination IP address: X.X.X.1
Mode: invalid! IPsec profile: Not defined
NYC-ASA# sho run int tun88
interface Tunnel88
nameif VTI
ip address 10.0.100.2 255.255.255.252
tunnel source interface Outside
tunnel destination X.X.X.1
Thanks for the help.
Solved! Go to Solution.
Yes, because the ASA only supports an IPSec VTI, it does not support gre like an IOS router does.
Refer to this example to configure a VTI between an ASA and IOS router.
It doesn't look like you have an IPSec profile attached to the VTI. E.g.
crypto ipsec profile IPSEC_PROFILE
set ikev2 ipsec-proposal TSET
interface Tunnel0
tunnel protection ipsec profile IPSEC_PROFILE
HTH
Thanks for the quick reply.
I do not want any protection. I will add that later.
Do I have to have tunnel protection for the tunnel to get tunnel up?
VR,
Yes, because the ASA only supports an IPSec VTI, it does not support gre like an IOS router does.
Refer to this example to configure a VTI between an ASA and IOS router.
Thanks Rob for always being here