https://community.cisco.com/t5/network-security/interesting-asa-problem-duplicate-ip-ipsec-vpn-remote-access/m-p/889543#M961942 <P>I am running 8.0(2), look at the following output from ASA:</P><P></P><P>ASA5500#sh interface gi0/0</P><P>Interface GigabitEthernet0/0 "Outside", is up, line protocol is up</P><P> Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec</P><P> Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)</P><P> MAC address 0018.b91b.55b6, MTU 1500</P><P> IP address 205.3.164.1, subnet mask 255.255.255.224</P><P> 3421353595 packets input, 1734453023897 bytes, 10860859 no buffer</P><P> Received 276528 broadcasts, 0 runts, 0 giants</P><P> 0 input errors, 0 CRC, 0 frame, 6484383 overrun, 0 ignored, 0 abort</P><P> 0 L2 decode drops</P><P> 1394329286 packets output, 279509809309 bytes, 0 underruns</P><P> 0 output errors, 0 collisions, 3 interface resets</P><P> 0 late collisions, 0 deferred</P><P> 0 input reset drops, 0 output reset drops</P><P> input queue (curr/max packets): hardware (1/33) software (0/0)</P><P> output queue (curr/max packets): hardware (0/95) software (0/0)</P><P> Traffic Statistics for "Outside":</P><P> 3421137849 packets input, 1646043223864 bytes</P><P> 1394329411 packets output, 250264599199 bytes</P><P> 86153516 packets dropped</P><P> 1 minute input rate 3032 pkts/sec, 4145066 bytes/sec</P><P> 1 minute output rate 1579 pkts/sec, 85978 bytes/sec</P><P> 1 minute drop rate, 12 pkts/sec</P><P> 5 minute input rate 627 pkts/sec, 725869 bytes/sec</P><P> 5 minute output rate 389 pkts/sec, 41285 bytes/sec</P><P> 5 minute drop rate, 11 pkts/sec</P><P></P><P>ASA5500# sh route</P><P>&lt;irrelevant routes snipped&gt;</P><P>O E2 205.3.164.1 255.255.255.255 [110/20] via 10.31.64.129, 0:40:47, Inside</P><P>&lt;snipped&gt;</P><P></P><P>So I have 205.3.164.1/27 as Outside interface IP address, and 205.3.164.1/32 is also learned from Internal network. Obviously this is a configuration mistake, no question about that.</P><P></P><P>Now here is my question: I happened to have this IP address for IPsec VPN remote access, when connection request comes in to this IP address, shouldn't ASA process it? in reality, it does not, but I want to understand what ASA is doing. If this is a router, CEF adjacency for this IP address would be receive, and this router would be able to process incoming request correctly. How would ASA behave differently?</P> Mon, 11 Mar 2019 11:21:32 GMT oldcreek12 2019-03-11T11:21:32Z https://community.cisco.com/t5/network-security/interesting-asa-problem-duplicate-ip-ipsec-vpn-remote-access/m-p/889543#M961942 <P>I am running 8.0(2), look at the following output from ASA:</P><P></P><P>ASA5500#sh interface gi0/0</P><P>Interface GigabitEthernet0/0 "Outside", is up, line protocol is up</P><P> Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec</P><P> Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)</P><P> MAC address 0018.b91b.55b6, MTU 1500</P><P> IP address 205.3.164.1, subnet mask 255.255.255.224</P><P> 3421353595 packets input, 1734453023897 bytes, 10860859 no buffer</P><P> Received 276528 broadcasts, 0 runts, 0 giants</P><P> 0 input errors, 0 CRC, 0 frame, 6484383 overrun, 0 ignored, 0 abort</P><P> 0 L2 decode drops</P><P> 1394329286 packets output, 279509809309 bytes, 0 underruns</P><P> 0 output errors, 0 collisions, 3 interface resets</P><P> 0 late collisions, 0 deferred</P><P> 0 input reset drops, 0 output reset drops</P><P> input queue (curr/max packets): hardware (1/33) software (0/0)</P><P> output queue (curr/max packets): hardware (0/95) software (0/0)</P><P> Traffic Statistics for "Outside":</P><P> 3421137849 packets input, 1646043223864 bytes</P><P> 1394329411 packets output, 250264599199 bytes</P><P> 86153516 packets dropped</P><P> 1 minute input rate 3032 pkts/sec, 4145066 bytes/sec</P><P> 1 minute output rate 1579 pkts/sec, 85978 bytes/sec</P><P> 1 minute drop rate, 12 pkts/sec</P><P> 5 minute input rate 627 pkts/sec, 725869 bytes/sec</P><P> 5 minute output rate 389 pkts/sec, 41285 bytes/sec</P><P> 5 minute drop rate, 11 pkts/sec</P><P></P><P>ASA5500# sh route</P><P>&lt;irrelevant routes snipped&gt;</P><P>O E2 205.3.164.1 255.255.255.255 [110/20] via 10.31.64.129, 0:40:47, Inside</P><P>&lt;snipped&gt;</P><P></P><P>So I have 205.3.164.1/27 as Outside interface IP address, and 205.3.164.1/32 is also learned from Internal network. Obviously this is a configuration mistake, no question about that.</P><P></P><P>Now here is my question: I happened to have this IP address for IPsec VPN remote access, when connection request comes in to this IP address, shouldn't ASA process it? in reality, it does not, but I want to understand what ASA is doing. If this is a router, CEF adjacency for this IP address would be receive, and this router would be able to process incoming request correctly. How would ASA behave differently?</P> Mon, 11 Mar 2019 11:21:32 GMT https://community.cisco.com/t5/network-security/interesting-asa-problem-duplicate-ip-ipsec-vpn-remote-access/m-p/889543#M961942 oldcreek12 2019-03-11T11:21:32Z https://community.cisco.com/t5/network-security/interesting-asa-problem-duplicate-ip-ipsec-vpn-remote-access/m-p/889544#M961945 <HTML><HEAD></HEAD><BODY><P>The ASA is learning the route for 205.3.264.1 from two different sources, this is different from having a vpn connection request. So the ASA is not taking this as a vpn request but just like a route which is learned from a neighbour.</P></BODY></HTML> Thu, 11 Oct 2007 20:41:05 GMT https://community.cisco.com/t5/network-security/interesting-asa-problem-duplicate-ip-ipsec-vpn-remote-access/m-p/889544#M961945 amritpatek 2007-10-11T20:41:05Z