cisco asa vti interface source

DraganSkundric87318 · ‎09-23-2023

asa have two interfaces, outside and inside. I have vti ipsec tunnel sourced on outside (public ip) interface and this works ok. I need another vti tunnel sourced with inside (private ip) interface. On both vtis, peers are behind outside interface. This second vti with source of asa inside interface is not working, ipsec is not coming up. There is a nat device in front of asa that is nat-ing asa inside ip to another public ip. I guess this is legit setup and it should work? According to logs, peer ike packets are seen on outside interface but looks like they are not getting to crypto engine or something. Likewis, I can see ASA-4-750003 messages stating that ASA is trying to do IKE with peer (local:asa_inside:500 remote:peer2:500), but this traffic is not seen on outside interface.

thanks

Pavan Gundu · ‎09-23-2023

What is the peer IP configured on the remote side?
Did you take simultaneous IKE debugs?

DraganSkundric87318 · ‎09-23-2023

remote peer has configured public ip of nated asa inside interface. Traffic is seen on asa outside interface remote_peer -> asa_inside_ip so this part is working ok. I do not have debugs for now since it looks I am stuck on basic network level

DraganSkundric87318 · ‎09-23-2023

I did asp_drop capture and there is

peer_ip.500 > asa_inside.500: udp 536 Drop-reason: (no-route) No route to host, Drop-location: frame 0x0000559d9b13a215 flow (NA)/NA

this is strange since asa_inside is directly connected

MHM Cisco World · ‎09-24-2023

As I know you can not use private IP as tunnel source.

You need public (outside interface).