topic Re: Cannot add route entry, conflict with existing routes in Network Security

Cannot add route entry, conflict with existing routes

WillCai — Fri, 21 Feb 2020 14:55:50 GMT

Why the route will show up he error message "Cannot add route entry, conflict with existing routes". Even the outside and backup route can switch automatically. However, the backup line still no internet. I try to connect the backup line without the ASA route, and the Internet work just fine.

Re: Cannot add route entry, conflict with existing routes

GioGonza — Fri, 01 Dec 2017 22:24:15 GMT

Hello @WillCai,

You are having problems with the track route since it is not adding the outside route just the backup, you have to check what is happening with the track itself and verify if you can reach 8.8.8.8.

The configuration is OK and probably you need to issue this commands in order to know what is going on with the routes:

show sla monitor operational-state

show track

Also you can enable the logs for this connection and verify if the ASA is doing that change:

logging list SLA-LIST message 622001

logging trap SLA-LIST

logging history SLA-LIST

snmp-server enable traps syslog

We need this information in order to verify the connection.

HTH

Gio

Re: Cannot add route entry, conflict with existing routes

WillCai — Tue, 05 Dec 2017 21:17:38 GMT

Hi GioGonza,

Thanks for you response, I do check my ASA can reach 8.8.8.8, and the show command you can check in the attachment. However, one more question is my backup route can not browsing any website. I do set up the firewall as the same as the outside, but it just not working.

Sincerely,

Will

Re: Cannot add route entry, conflict with existing routes

GioGonza — Tue, 05 Dec 2017 22:28:19 GMT

Hello @WillCai,

Based on the output you pasted before the SLA should be working fine and it should have the route to the outside instead of the backup. But there was a change 5 hours before you collected the information so probably you experienced a problem with the routing.

If you do show route, the default route should be on the outside interface instead of the backup as it was before. The way I see it everything is normal and the connection is stable as per thee outputs you shared.

Now according to the other question, the ASA is receiving the IPs for the outside and backup interface from another device in front of the ASA (and those devices are doing the NAT for Internet access), if you don´t have access through the backup interface you need to verify with the device in front of the ASA and verify if the NAT is taking place and also verify if the traffic is not being dropped.

Other than that, I don´t recall any other reason for this behavior.

HTH

Gio

Re: Cannot add route entry, conflict with existing routes

WillCai — Wed, 06 Dec 2017 22:03:43 GMT

Hi Gio,

Now the Dual ISP switch come back to normal. However, the backup line still can not go to the internet. I do use my computer to connect to backup line, and it is work. The means the device before the ASA in backup line is OK. The attachment are my check commands.

Sincerely,

Will

Re: Cannot add route entry, conflict with existing routes

WillCai — Thu, 07 Dec 2017 14:31:56 GMT

Hi Gio,

I just hit the wrong key to solved. I still have no idea Why the route will show up he error message "Cannot add route entry, conflict with existing routes". Even the outside and backup route can switch automatically. However, the backup line still no internet pass by. I try to connect the backup line without the ASA route, and it is no any problem with the backup line.

Sincerely,

Will Cai

Re: Cannot add route entry, conflict with existing routes

Marvin Rhoads — Sat, 09 Dec 2017 11:23:04 GMT

(Moved thread to firewall forum for more accurate classification.)

Since both your outside and backup interfaces are DHCP, I believe you need to modify backup to override the default administrative distance of 1.

There is a thread here:

https://supportforums.cisco.com/t5/firewalling/sla-monitor-on-dual-dynamic-isp-asa5505/td-p/2385667

...with a very similar situation.

The setting is explained in more detail here:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/d1.html#pgfId-2254460

As noted in that command reference link,

If DHCP is configured on multiple interfaces, you must use the dhcp client route distance command on each of the interfaces to indicate the priority of the installed routes.

Re: Cannot add route entry, conflict with existing routes

GioGonza — Mon, 11 Dec 2017 14:40:32 GMT

Hello @WillCai,

I´ll do this on my lab and I will let you know about the results.

Gio

Re: Cannot add route entry, conflict with existing routes

WillCai — Mon, 11 Dec 2017 22:12:17 GMT

Dear Marvin,

Thanks for you information. I just follow it and fix the problem. However, I just have one more question about the DNS. Now my backup internet it can go though the ASA route, but without the DNS server can be reached. I just setup the the DNS address again, because the backup line default DNS address is 8.8.8.8, and 8.8.4.4.

Sincerely,

Will Cai

Re: Cannot add route entry, conflict with existing routes

Marvin Rhoads — Tue, 12 Dec 2017 02:30:45 GMT

You're welcome. Please rate the earlier reply if it answered the original question.

Re your follow up, you have "dhcpd dns 75.75.75.75 75.75.76.76 interface inside" for your dhcp server. Try adding the Google DNS servers there and release / renew a client's ipconfig to test it.