Showing results for 
Search instead for 
Did you mean: 

Cisco ASA 9.8(1) BGP over VTI while using IKEV2 Proposal. Can't Get BGP to Peer two ASAs.

Nathan Brock

We have upgraded our ASAs to IOS Version 9.8(1). I currently have issues with two 5516-X FIREPOWER Services. I have successfully moved to Route Based VPN for our Site-To-Site connectivity. Everything works well with a static route, but we are looking to create resilient mesh by using BGP routing over VTI.

We are using IKEV2, AES256, Sha1, 86400 Lifetime, and so on. The tunnel comes up perfectly and WILL pass traffic within a virtual tunnel interface.

We are looking to get support to get the BGP routing working over these tunnel interfaces (VTI) with IKEV2 IPSEC.

I tried this blog with no luck (IT DOES USE IKEV1)

I tried this Cisco Doc for VTI / BGP on a Cisco router (DOESN'T WORK ON ASA 9.8)

I can get the BGP Peers to see the remote VTI IP Address inside the tunnel, but it will only stay IDLE or ACTIVE and no messages will pass between the two BGP Peers to exchange route information.

Please advise. Any technical documentation or example configuration file for Cisco ASA 9.8(1) for BGP over VTI for ASA to ASA connectivity while using IKEV2 would be extremely helpful.


7 Replies 7

Philip D'Ath

9.8(1) is bleeding edge new.

Is there a reason why you want to use BGP?  I haven't heard of people using BGP in this configuration.  Doesn't mean that it wont work - but you are really on the bleeding edge here.

I suspect OSPF will be much easier in such a configuration.  I have heard of OSPF being used used over IPSec with Cisco ASA's.  In fact, I think there are some published Cisco guides on how to do this.

1) Cisco's ASA Documentation on VTI specifically states on BGP Protocol is supported over the VTI Interfaces. -Only Choice.

2) Azure and AWS Cloud Services their default free gateways use BGP and only BGP. So to utilize the Azure DCs we need to use BGP for failover links. I will be connecting 10 sites all to each other and BGP can figure out which path to take that is the fastest. S2S tunnels with static maps will send traffic one way to one server/net. 

I have resolved this issue. BGP is now working on my ASA. Cisco TAC figured out my issue this afternoon. Thanks for the help. None of the published guides worked from me on IKEV2.

It is good to know that Cisco TAC was able to help you find a solution to the problem. Can you share with us what was the underlying problem and what did you do to solve it?





It appears in order for the BGP protocol to work across the VTI interface, one must add the VTI network to the ACL or in my case the split tunneling filter for the group policy of the VTI tunnel. 

After I added the VTI network, it came right up and started sharing routes. 

I am one step closer to my end goal which is to create my internet on top of the internet. (BGP)

I will be posting my full solution on my blog as some point in the near future. 

For example, we have a branch office in Reno NV. It takes 50-70 ms to reach OKC on a direct site - to - site ipsec tunnel. I would rather that site connects to a VPN GW at the Google DC in Northern Cali, (9ms) <-> Dallas <-> OKC (Total Trip would be about 28 ms) I am noticing that Azure DCs or Google DCs are connected together at very low latency. My goal is to add a few of these DC's into my BGP VTI groups and start getting 50% to 80% better latency. 

Even in Oklahoma we have a site that would benefit hitting Tulsa first before hitting OKC. So a static site to site tunnel is not always the best speed or reliability due to fluctuations in the BGP routing of the internet. In my case there is an AT&T hop that meets Cogentco's Network in Dallas TX that is always over utilized. I want avoid these bad hops at all cost. I am aware of MPLS and Point to Point connections with ISPs, but I don't want to pay the money for them. 

today, we also found that it seems like there has to be traffic passing across the tunnel, for BGP to establish, as a workaround we added a static route across the tunnel for the bgp neighbor ip (itself) as next hub, and BGP started working

I am researching this design and come across this post. Thanks for this. The reason for this research is exactly the same reason that your implemented yours. How are you going with it if you don't mind me asking? I have to brush up on my bgp. I recall something about bgp not coming up unless the route table has a route 


I am about to begin a project to implement a Route Based BGP VPN and stumbled upon this post. I don't have a solution for your problem, but I did find this guide on the issue Route Based BGP VPN Guide.


Hopefully that guide is of some use to you.



- Dan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers