VTI interface down because interface number created is greater than ipsec32768
In some conditions, when creating a VTI interface for routed IP, the interface number allocated is very high.
This seems to be happening with firewalls that already have a large number of traditional ipsec p1/p2 tunnels. The first VTI p2 I made started with ipsec52000 and the interface is permanently offline / down. Any additional VTI interfaces I create get an even higher interface number such as ipsec53000.
Obviously this breaks the VTI and you cannot get routed IP to work.
#9 Updated by Chris Linstruth 29 minutes ago
I created enough tunnels to get over what used to be 32768. Along the way I created two VTI tunnels. They were given interfaces ipsec3000 and ipsec6000. After there were enough tunnels to push the interface number past 32768, the VTI was given ipsec1.
If that is how it should work, it looks good. If the VTIs are supposed to start at con1 regardless of how many tunnels are already created, it doesn't seem to do that.