Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1527
Views
0
Helpful
2
Replies

Cisco ASA VTI Static route to tunnel does not forward packet over tunnel - Tunnel is up

Devinder Sharma
Level 1
Level 1

‎05-30-2020 11:28 PM

Hello Folks,

 

I am running into this very strange behavior where customer has ASA5512X and we are trying to set up a redundant VTI tunnel to service provider. Both tunnels come up fine and correct static routes thru the VTI tunnel interfaces for the far end networks are in place, and using IPSLA tracking by using the primary site's public peer address, the show route indicates route thru primary changing over thru the secondary site. Essentially we are trying to move an older site to one datacenter VPN to a new VTI based, site to two datacenter VPNs.

 

Packet tracer shows all success and using the tunnel as egress interface. NAT (inside,any) with twice nat is set up at the top so as to not choose the outside interface in present of other nat statements (if there were no static NATs, I will not even add NAT for VTI), but I have seen that in presence of NAT. debug icmp trace shows pings coming into ASA (LAN is flat network), but no replies coming back. traceroutes from test stations, end up at ASA. Pings and traceroutes to anything else going to internet or existing VPN tunnel shows all hops including the ASA itself. Doing a packet capture on the tunnel interface itself shows no packets coming into tunnel.

 

So despite having correct static routes pointed to tunnels, ASA does not utilize the route / tunnel.

Service provider has the public Peer IP addresses pingable, but the VTI tunnel end points in 169.254.x.x are not pingable and these tunnel end points are the next hop. Could this be a reason for ASA to quietly ignore the route, even if its installed in the routing table, if next hop is not pingable, but otherwise reachable (as per service provider). They have customers with Fortigates / F5s and few others connected with same setup.

 

ASA5512x is running 9.8.4 and VTI utilizing IKEv2 became available starting 9.8.1. I have over the years done several of ASA and fortigates connected using route based / VTI tunnels to Azure / AWS and Oracle cloud, but in cases, I used BGP and tunnel end points were always pingable. Here I am required to use static routes and the next hop tunnel IPs are not pingable.

 

Hopefully someone may have run into similar issues of next hop not pingable and then ignored by ASA to make use of or specific case with VTIs and will share his / her experience and the workaround / fix for this please.

 

Thanks so much,

Labels:
0 Helpful
2 Replies 2

flyshoo
Level 1
Level 1

‎08-17-2020 04:06 PM

Did you find a resolution to this issue?  I have the same setup and I'm unable to ping the other side.

 

Thanks,

flyshoo

0 Helpful

Devinder Sharma
Level 1
Level 1
In response to flyshoo

‎08-17-2020 04:14 PM

Sorry, no solution was found and it was likely a bug that affected ASA5512X. Customer has support contract expired and then decided to buy a fortigate firewall. With that firewall, it worked in first attempt.

I had no other (newer) model of ASA available to test, and I am assuming that newer hardware may not have this issue. I generally know my stuff well, so I will not have configuration issues, but without any active support contract, we could not engage Cisco TAC.

 

0 Helpful
Customers Also Viewed These Support Documents