ASA VTI ikev2 problem

Dieselboy · April 12, 2019, 04:24:22 AM

Trying to set up a new site VPN using existing config / lessons-learned. I have a another site already using resilient VTI VPN tunnels with ikev2 and bgp. The new site ikev2 vpn would not come up and was giving some error I had not seen before. So I decided to give up and use ikev1 to get going and change it later. The VPN came up immediately but is not functional and the ASA is logging an error which says:

Code Select

Failed to locate egress interface for GRE from VTI-49:139.x.x.x/0 to 115.x.x.x/0

I'm using ipsec. Any ideas why the log says "GRE"? Does the ASA even do GRE? I have a HA pair of 5515X on 9.8.3 code.

deanwebb · April 12, 2019, 05:59:55 AM

I think it has to use that to process the "interesting traffic" that matches the policy-class to send stuff over the VPN. But it should be doing that natively, I'd check to see if the policy-class is right and if the settings on both ends match and if they're explicitly defined because Cisco trying to figure it out from a list sometimes doesn't work as desired.

Dieselboy · April 12, 2019, 07:46:40 PM

I went through all the ikev2 VPN config again with a fine tooth comb. It's all 100% correct. THEN I spotted that there was one line missing from the VTI interface:

Code Select

tunnel mode ipsec ipv4

Oops. All working now : )

deanwebb · April 13, 2019, 12:15:38 PM

Quote from: Dieselboy on April 12, 2019, 07:46:40 PM
I went through all the ikev2 VPN config again with a fine tooth comb. It's all 100% correct. THEN I spotted that there was one line missing from the VTI interface:
Code Select Expand
tunnel mode ipsec ipv4

Oops. All working now : )

Dieselboy · April 14, 2019, 04:15:41 AM

🙈

Explains the ASA logging about the GRE, which is good to know

ASA VTI ikev2 problem

Dieselboy

deanwebb

Dieselboy

deanwebb

Dieselboy