Cisco ASA VTI Static route to tunnel does not forward packet over tunnel - Tunnel is up
I am running into this very strange behavior where customer has ASA5512X and we are trying to set up a redundant VTI tunnel to service provider. Both tunnels come up fine and correct static routes thru the VTI tunnel interfaces for the far end networks are in place, and using IPSLA tracking by using the primary site's public peer address, the show route indicates route thru primary changing over thru the secondary site. Essentially we are trying to move an older site to one datacenter VPN to a new VTI based, site to two datacenter VPNs.
Packet tracer shows all success and using the tunnel as egress interface. NAT (inside,any) with twice nat is set up at the top so as to not choose the outside interface in present of other nat statements (if there were no static NATs, I will not even add NAT for VTI), but I have seen that in presence of NAT. debug icmp trace shows pings coming into ASA (LAN is flat network), but no replies coming back. traceroutes from test stations, end up at ASA. Pings and traceroutes to anything else going to internet or existing VPN tunnel shows all hops including the ASA itself. Doing a packet capture on the tunnel interface itself shows no packets coming into tunnel.
So despite having correct static routes pointed to tunnels, ASA does not utilize the route / tunnel.
Service provider has the public Peer IP addresses pingable, but the VTI tunnel end points in 169.254.x.x are not pingable and these tunnel end points are the next hop. Could this be a reason for ASA to quietly ignore the route, even if its installed in the routing table, if next hop is not pingable, but otherwise reachable (as per service provider). They have customers with Fortigates / F5s and few others connected with same setup.
ASA5512x is running 9.8.4 and VTI utilizing IKEv2 became available starting 9.8.1. I have over the years done several of ASA and fortigates connected using route based / VTI tunnels to Azure / AWS and Oracle cloud, but in cases, I used BGP and tunnel end points were always pingable. Here I am required to use static routes and the next hop tunnel IPs are not pingable.
Hopefully someone may have run into similar issues of next hop not pingable and then ignored by ASA to make use of or specific case with VTIs and will share his / her experience and the workaround / fix for this please.
When I log into SecureX, I'm given an option to Sign in with MIcrosoft. What information is shared from my profile with Cisco?
1. If you signed in with your work email, the information shared from your profile is controlled by your or...
Stealthwatch Enterprise can be leveraged to monitor vulnerable devices, and alert on potential exploitation by bad actors looking to exploit Ripple20 and other potential vulnerabilities.
Note that the concepts and procedures outlined here can be used for...
The following is useful to those entities interested in monitoring appropriate usage of Cisco WebEx resources within their environments, as well as those interested in tracking additional metrics around usage of the WebEx service.
The relevant supporting...
I'm using AMP, and when I activated the SecureX Ribbon, I mistakenly used the wrong account to connect to SecureX. Now my SecureX Ribbon is connected to the wrong account. How do I fix it?
You can clear the SecureX Authorizatio...
I'm using Umbrella, and when I activated the Ribbon, I mistakenly used the wrong account to connect to SecureX. Now my SecureX Ribbon is connected to the wrong account. How do I fix it?
You can clear the SecureX Authorization for t...