Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1613
Views
1
Helpful
6
Replies

FTD: VTI Tunnel Source in VRF - not possible?

Go to solution
rob.coote
Level 1
Level 1

‎03-17-2022 11:12 AM

Hello we are trying to set up Route Based VPN to a cloud provider using FTD and VTI. Our outside interface with public IP is part of a VRF in FMC. When the VTI is created using the outside interface as the Tunnel Source, we receive an error: 

 

"Interface creation failed: Tunnel source interface : 'Outside' is part of User defined VRFs : Port-channelxx"

 

Is there some reason why we cannot use this interface for the VTI?

 

FMC and FTD version: 7.0.1

Platform: FTD 4110

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-17-2022 11:20 AM - edited ‎03-17-2022 11:22 AM

@rob.coote unfortunately VTI is supported only in global virtual router. The tunnel source of VTI interface should also belong to the global virtual router. 

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/virtual-routing-for-firepower-threat-defense.html

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎03-17-2022 11:20 AM - edited ‎03-17-2022 11:22 AM

@rob.coote unfortunately VTI is supported only in global virtual router. The tunnel source of VTI interface should also belong to the global virtual router. 

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/virtual-routing-for-firepower-threat-defense.html

 

0 Helpful

Go to solution
rob.coote
Level 1
Level 1
In response to Rob Ingram

‎03-17-2022 11:24 AM

Thanks. So the solution would be to cable another physical interface, assign it to Global with it's own public IP and use that for the VTI?

 

Then leak routes from Global to other VRFs?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to rob.coote

‎03-17-2022 11:27 AM

@rob.coote sounds like a workable solution.

0 Helpful

Go to solution
rob.coote
Level 1
Level 1
In response to Rob Ingram

‎03-17-2022 11:28 AM

I was almost hoping for a FlexConfig option haha. Thanks.

0 Helpful

Go to solution
mgrzesia
Cisco Employee
Cisco Employee
In response to Rob Ingram

‎12-08-2023 08:44 AM - edited ‎12-08-2023 08:46 AM

Edit to add - for future reference.

FTD 7.2 has lifted restrictions:
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/routing-vrf.html#id_121522

"You can assign only routed interfaces with logical names and VTIs to a user-defined virtual router."

That means static VTI (sVTI) can be part of internal VRF (iVRF).
The 7.2 documentation doesn't mention:
"The tunnel source of VTI interface should also belong to the global virtual router.",
so it should be possible to select an interface in front-door VRF (fVRF) as a sVTI source.

The FTD 7.4 adds support for dynamic VTI (dVTI) with fVRF / iVRF, which is described in the documentation:
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/routing-vrf.html#how-to-secure-traffic-from-networks-in-multiple-virtual-routers-over-a-site-to-site-vpn-with-dynami...

 

Go to solution
tvotna
Spotlight
Spotlight
In response to mgrzesia

‎12-10-2023 07:23 AM

Mateusz, @mgrzesia off-topic, but let me ask this: does connection migration works between SVTI interfaces if they're included into a traffic zone? Did you test? If you know, you can respond here: https://community.cisco.com/t5/network-security/ftd-dual-isp-and-s2s-vpn-connections/td-p/4975078

 

 

0 Helpful
Customers Also Viewed These Support Documents