12-06-2020 09:26 AM
Hi,
I am troubleshooting a VTI from an ASA to and IOS so I am starting with a non protected tunnel to rule out crypto. As you can see below the status and protocol are both down. I feel like this is because of "Mode: invalid! IPsec profile: Not defined" as seen below under the command #sho int tun88
NYC-ASA(config)# sho int ip b
Interface IP-Address OK? Method Status Protocol
Tunnel88 10.0.100.2 YES manual down down
NYC-ASA# sho int tun88
Interface Tunnel88 "VTI", is down, line protocol is down
Hardware is Virtual Tunnel MAC address N/A, MTU 1500
IP address 10.0.100.2, subnet mask 255.255.255.252
Tunnel Interface Information:
Source interface: Outside IP address: Removed.254
Destination IP address: X.X.X.1
Mode: invalid! IPsec profile: Not defined
NYC-ASA# sho run int tun88
interface Tunnel88
nameif VTI
ip address 10.0.100.2 255.255.255.252
tunnel source interface Outside
tunnel destination X.X.X.1
Thanks for the help.
Solved! Go to Solution.
12-06-2020 09:39 AM
Yes, because the ASA only supports an IPSec VTI, it does not support gre like an IOS router does.
Refer to this example to configure a VTI between an ASA and IOS router.
12-06-2020 09:31 AM
It doesn't look like you have an IPSec profile attached to the VTI. E.g.
crypto ipsec profile IPSEC_PROFILE
set ikev2 ipsec-proposal TSET
interface Tunnel0
tunnel protection ipsec profile IPSEC_PROFILE
HTH
12-06-2020 09:33 AM - edited 12-06-2020 09:35 AM
Thanks for the quick reply.
I do not want any protection. I will add that later.
Do I have to have tunnel protection for the tunnel to get tunnel up?
VR,
12-06-2020 09:39 AM
Yes, because the ASA only supports an IPSec VTI, it does not support gre like an IOS router does.
Refer to this example to configure a VTI between an ASA and IOS router.
12-06-2020 09:40 AM
Thanks Rob for always being here
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: