Cisco ASA VTI not showing any traffic statistics

mtentilucci · ‎10-24-2018

Hello,

We have site-to-site VPN tunnels setup between our ASAs using VTIs. However, the VTIs do not show any traffic statistics (e.g. 1 minute input rate, packets dropped, packets input, etc...).

This is what I see:

asa# show interface tunnel 1
Interface Tunnel1 "MY-TUNNEL", is up, line protocol is up
  Hardware is Virtual Tunnel    MAC address N/A, MTU 1500
        IP address 172.16.0.1, subnet mask 255.255.255.252
  Tunnel Interface Information:
        Source interface: OUTSIDE   IP address: 1.1.1.1
        Destination IP address: 2.2.2.2
        Mode: ipsec ipv4        IPsec profile: MY-IPSEC-PROFILE
asa#

Is it possible to see traffic statistic on ASA VTIs?

David Castro F. · ‎11-04-2018

Hello Mtentilucci,

I hope you are doing great,

I know thats rare, but since the tunnel interface relays on the outside interface, thats where you would get the interface counters.

Now to verify traffic stats for the VTI you could use the following show commands:

ASA-right(config)# show crypto ikev2 sa  - This verifies the IKEv2 tunnel up or down.

ASA-right(config)# show crypto ipsec sa   / show crypto ipsec sa peer XXXX -- Peer IP address, this will show
the SAs formed and the traffic come back and forth.

ASA-right(config)# show vpn-sessiondb l2l     -- This will also show traffic stats in the SAs, time of 
expiration for the tunnels and so on.

Keep me posted if you have any doubts,

Please qualify all the helpful answers and mark as answer if the answer was provided!

Thanks,

David Castro,