Re: VTI on ASA in Multi-Context

johng231 · ‎02-27-2020

Hello,

I know from reading the latest admin guide (9.13), configuring VTI on multi-context mode is not supported. Does anyone know if it's on a road map to have it be included? It's a nice feature to have to support BGP over IPSEC tunnels using VTI but our main data centers all have 5585x configured as a multi-context. We'll need to purchase a dedicated ASA then to support this requirement.

Thanks in advance!

John

Sheraz.Salim · ‎02-29-2020

5585-X is EOL. i have not heard anything from TAC if VTI is coming in muticontext. what you could do is going forward buy FTD 4000 or 9000 which come as multi-instance this could solve your problem. however, having said that FTD 6.3 does not support VTI at all and there is a road map to introduce this feather in future release.

please do not forget to rate.

Pulkit Saxena · ‎02-29-2020

Hi John,

The feature is not yet available, you can subscribe to this enhancement and keep getting updates if any.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve69229

Regards,

Pulkit

Daniel Shriver · ‎03-08-2020

Did anyone get back to you on this issue?

Sheraz.Salim · ‎03-08-2020

no it think its not possible in multi context.

please do not forget to rate.

johng231 · ‎03-09-2020

Someone did respond to my post here with the following URL linking to a bugid enforcement. My understanding is there is no timeline on when this will be implemented.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve69229

ROHIT SHARMA · ‎07-23-2020

I saw that Cisco ASA config guides say that VTI supported in Single mode only, but I just tried a multi ASA with os 9.12 and I was able to create a tunnel interface.....

Richard Burts · ‎07-26-2020

It is nice to know that you can configure it. And if you can configure it probably it might work. But there is an important distinction between it is supported and I can configure it. If you configure it and deploy in a production network, and then if some unexpected behavior emerges that is a problem you can not go to Cisco TAC to get help in resolving it.

HTH

Rick

Tauer Drumond · ‎09-14-2020

Have you created the interface tunnel? Did it work?

Rafal Sobecki · ‎11-02-2021

Late reply so just for a record:

While it is possible to configure a VTI in a security context, the following command is not supported:

crypto ipsec profile

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/crypto-a-to-crypto-ir-commands.html#wp3081784102

Ipsec profile is to be attached to the VTI.

Some commands for route-based vpn 'leaked' from single to multiple mode but the core VPN enablement is still missing here.

ASAv in turn has full command set and is a cheaper alternative to Firepower 4k/9k series mentioned above.

Cheers

/Rafal

johnlloyd_13 · ‎02-02-2023

hi,

does anyone know/heard if VTI is now being supported in ASA multiple context mode.

is there an improvement/feature added in ASA version 9.16+ for FPR 2100?

Rob Ingram · ‎02-03-2023

Hi @johnlloyd_13 VTI is still supported in single context mode only as of the latest version 9.19.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa919/configuration/vpn/asa-919-vpn-config/vpn-vti.html