cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4672
Views
5
Helpful
6
Replies

VTI is not coming UP in ASA(5515)9.7(1)4 connected with router ASR1000

Neeraj Patial
Level 1
Level 1

Hi

My Vti is not coming up in ASA connected with ASR router i  am testing it in LAB.

Any expert comment would be appreciated 

 

asa# show interface tunnel 100
Interface Tunnel100 "vti", is down, line protocol is down
Hardware is Virtual Tunnel MAC address N/A, MTU 1500
IP address 192.168.1.10, subnet mask 255.255.255.252
Traffic Statistics for "vti":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Tunnel Interface Information:
Source interface: outside IP address: 192.165.0.2
Destination IP address: 192.165.0.1
Mode: ipsec ipv4 IPsec profile: PROFILE1
asa#

 

Router:

ASR#show interfaces tunnel100
Tunnel100 is up, line protocol is down
Hardware is Tunnel
Internet address is 192.168.1.9/30
MTU 10000 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation down - linestate protection reg down
Tunnel source 192.165.0.1, destination 192.165.0.2
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1500 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "PROFILE1")
Last input never, output never, output hang never
Last clearing of "show interface" counters 2d19h
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
ASR#

 

Config at ASR:-

crypto ipsec ikev1 transform-set SET1 esp-aes esp-sha-hmac
crypto ipsec profile PROFILE1
set ikev1 transform-set SET1
set security-association lifetime kilobytes 102400
set security-association lifetime seconds 900

interface Tunnel100
nameif vti
ip address 192.168.1.10 255.255.255.252
tunnel source interface outside
tunnel destination 192.165.0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROFILE1

 

Router Config:-

crypto ipsec transform-set SET1 esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile PROFILE1
set security-association lifetime kilobytes 102400
set security-association lifetime seconds 900
set transform-set SET1
!

interface Tunnel100
ip address 192.168.1.9 255.255.255.252
tunnel source 192.165.0.1
tunnel mode ipsec ipv4
tunnel destination 192.165.0.2
tunnel protection ipsec profile PROFILE1

 

Physical interfaces ping from both sides

ASA# ping 192.165.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.165.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA#

ASR#ping 192.165.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.165.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASR#

6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

It is good that you have demonstrated that there is IP connectivity between the peers. In the partial config that you posted you do not include any tunnel group for the VTI. Is it in the config and you did not post it or is it missing?

 

What determines the up or down state of the VTI tunnel is the outcome of the crypto negotiation. Can you run debug for the crypto negotiation and post output? (would especially want output of negotiation for IPsec, and would want output of negotiation for ISAKMP if there is no IPsec output)

 

HTH

 

Rick

HTH

Rick

Hi Richard,

Thanks yes i was missing tunnel group for VTI and it up now and exchanging routers properly through BGP.

But I am unable to build adjacency  with ospf over vti is there any chance of ospf support above 9.7ASA versions.

Thanks for letting us know that the problem was the missing tunnel group and that now the tunnel is working. I do not have any information about support for OSPF over the VTI. I would hope that Cisco will provide this support but have no information about it.

 

HTH

 

Rick

HTH

Rick

One thing to note - at least this happened to me and I was running 9.8(4)40 code on a 5545x.  My VTI would not work or even show up until I rebooted the ASA.  Nothing worked and I went to do a packet capture but the tunnel interface was not one of the ones available.  I rebooted the ASA and it was there and data would then pass.  So if you configure a VTI and you are wondering why it does not work, you may have to reboot your ASA first.

Thanks for sharing your experience. That has not been my experience doing VTI on ASA. But I have certainly seen instances where something was not working, config seemed correct but was not working. Did a reboot and it started working. So your suggestion is certainly appropriate - when working on a problem it may be helpful to do a reboot.

HTH

Rick

still this issue not solve ?