cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5604
Views
0
Helpful
7
Replies

Cisco ASA 9.8(1) BGP over VTI while using IKEV2 Proposal. Can't Get BGP to Peer two ASAs.

Nathan Brock
Level 1
Level 1

We have upgraded our ASAs to IOS Version 9.8(1). I currently have issues with two 5516-X FIREPOWER Services. I have successfully moved to Route Based VPN for our Site-To-Site connectivity. Everything works well with a static route, but we are looking to create resilient mesh by using BGP routing over VTI.

We are using IKEV2, AES256, Sha1, 86400 Lifetime, and so on. The tunnel comes up perfectly and WILL pass traffic within a virtual tunnel interface.

We are looking to get support to get the BGP routing working over these tunnel interfaces (VTI) with IKEV2 IPSEC.

I tried this blog with no luck (IT DOES USE IKEV1)
https://techstat.net/cisco-asa-9-7-route-based-vpn-load-balancing-failover-setup-guide/

I tried this Cisco Doc for VTI / BGP on a Cisco router (DOESN'T WORK ON ASA 9.8)
http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/118977-config-ebgp-00.html

I can get the BGP Peers to see the remote VTI IP Address inside the tunnel, but it will only stay IDLE or ACTIVE and no messages will pass between the two BGP Peers to exchange route information.

Please advise. Any technical documentation or example configuration file for Cisco ASA 9.8(1) for BGP over VTI for ASA to ASA connectivity while using IKEV2 would be extremely helpful.

Thanks!
Nate

7 Replies 7

Philip D'Ath
VIP Alumni
VIP Alumni

9.8(1) is bleeding edge new.

Is there a reason why you want to use BGP?  I haven't heard of people using BGP in this configuration.  Doesn't mean that it wont work - but you are really on the bleeding edge here.

I suspect OSPF will be much easier in such a configuration.  I have heard of OSPF being used used over IPSec with Cisco ASA's.  In fact, I think there are some published Cisco guides on how to do this.