Showing results for 
Search instead for 
Did you mean: 

Cisco ASA VTI Static route to tunnel does not forward packet over tunnel - Tunnel is up

Hello Folks,


I am running into this very strange behavior where customer has ASA5512X and we are trying to set up a redundant VTI tunnel to service provider. Both tunnels come up fine and correct static routes thru the VTI tunnel interfaces for the far end networks are in place, and using IPSLA tracking by using the primary site's public peer address, the show route indicates route thru primary changing over thru the secondary site. Essentially we are trying to move an older site to one datacenter VPN to a new VTI based, site to two datacenter VPNs.


Packet tracer shows all success and using the tunnel as egress interface. NAT (inside,any) with twice nat is set up at the top so as to not choose the outside interface in present of other nat statements (if there were no static NATs, I will not even add NAT for VTI), but I have seen that in presence of NAT. debug icmp trace shows pings coming into ASA (LAN is flat network), but no replies coming back. traceroutes from test stations, end up at ASA. Pings and traceroutes to anything else going to internet or existing VPN tunnel shows all hops including the ASA itself. Doing a packet capture on the tunnel interface itself shows no packets coming into tunnel.


So despite having correct static routes pointed to tunnels, ASA does not utilize the route / tunnel.

Service provider has the public Peer IP addresses pingable, but the VTI tunnel end points in 169.254.x.x are not pingable and these tunnel end points are the next hop. Could this be a reason for ASA to quietly ignore the route, even if its installed in the routing table, if next hop is not pingable, but otherwise reachable (as per service provider). They have customers with Fortigates / F5s and few others connected with same setup.


ASA5512x is running 9.8.4 and VTI utilizing IKEv2 became available starting 9.8.1. I have over the years done several of ASA and fortigates connected using route based / VTI tunnels to Azure / AWS and Oracle cloud, but in cases, I used BGP and tunnel end points were always pingable. Here I am required to use static routes and the next hop tunnel IPs are not pingable.


Hopefully someone may have run into similar issues of next hop not pingable and then ignored by ASA to make use of or specific case with VTIs and will share his / her experience and the workaround / fix for this please.


Thanks so much,

Everyone's tags (1)