02-14-2014 04:25 PM - edited 03-11-2019 08:45 PM
Hi
My asa is sitting behind a router the next hop from the ASA to the router is 10.0.0.5 I have tried to change the default route to route DMZ 0 0 10.0.0.5 to no availability right now the default route is (S* 0.0.0.0 0.0.0.0 [1/0] via 172.16.8.20, Outside) but even if I were to do a "no route Outside 0 0 172.16.8.20" the default route does not disappear when I do a "sh route" command. ant help would be greatly appreciated.
Solved! Go to Solution.
02-17-2014 10:41 AM
Are you or is anyone else connecting to the ASA via VPN?
I ask because there is the chance you may be getting a default route injected via reverse route injection (RRI) or other configuration inthe VPN.Such a route would show up in the routing table but not in the running configuration.
02-14-2014 11:53 PM
Your post is unclear. Is your default route out the DMZ or out the Outside interface?
Can you share your configuration or at least "show ip address" and "show route" from your ASA?
02-17-2014 10:26 AM
I apologize for not being clear hopefully this helps. Basically the default route should be: route DMZ 0.0.0.0 0.0.0.0 10.10.10.5, I had to add a metric of 2 because otherwise it would conflict with the Gateway of last resort, the interesting part is if I try to remove the current gateway of last resort then the error I get is %No matching route to delete and I try to add the new route I get ERROR: Cannot add route entry, conflict with existing routes.
**"show ip address" output---
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 Outside 172.22.8.166 255.255.252.0 CONFIG
GigabitEthernet0/3 DMZ 10.10.10.16 255.255.255.0 CONFIG
Management0/0 management 192.168.100.1 255.255.255.0 CONFIG
GigabitEthernet1/0 Inside 172.16.0.2 255.255.252.0 CONFIG
GigabitEthernet1/1 VPN X.X.X.X 255.255.255.240 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 Outside 172.22.8.166 255.255.252.0 CONFIG
GigabitEthernet0/3 DMZ 10.10.10.16 255.255.255.0 CONFIG
Management0/0 management 192.168.100.1 255.255.255.0 CONFIG
GigabitEthernet1/0 Inside 172.16.0.2 255.255.252.0 CONFIG
GigabitEthernet1/1 VPN X.X.X.X 255.255.255.240 CONFIG
**"show running-config" output---
!The DMZ route should be the gateway of last resort
route DMZ 0.0.0.0 0.0.0.0 10.10.10.5 2
route Outside 10.0.1.0 255.255.255.252 172.22.8.20 1
route Outside 10.0.2.0 255.255.255.252 172.22.8.20 1
route Outside 10.0.4.0 255.255.255.252 172.22.8.20 1
route Outside 10.0.5.0 255.255.255.240 172.22.8.20 1
route Outside 10.0.6.0 255.255.255.252 172.22.8.20 1
route Outside 10.0.25.0 255.255.255.0 172.22.8.20 1
route Outside 10.0.52.0 255.255.255.0 172.22.8.20 1
route Inside 172.16.0.0 255.255.252.0 172.16.0.3 1
route Outside 172.16.6.0 255.255.255.0 172.16.6.1 1
route Outside 172.22.0.0 255.255.0.0 172.22.8.20 10
route Outside 192.168.0.0 255.255.255.0 172.22.8.20 255
route DMZ 192.168.200.0 255.255.255.0 156.108.124.66 1
**"show route" output ---
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 172.22.8.20 to network 0.0.0.0
S 172.16.6.0 255.255.255.0 [1/0] via 172.16.6.1, Outside
[1/0] via 172.22.8.20, Outside
C 172.16.0.0 255.255.252.0 is directly connected, Inside
C 172.22.8.0 255.255.252.0 is directly connected, Outside
S 172.22.0.0 255.255.0.0 [10/0] via 172.22.8.20, Outside
D 192.168.4.8 255.255.255.252 [90/2178816] via 172.16.0.3, 66:37:21, Inside
D 192.168.4.9 255.255.255.255 [90/2178816] via 172.16.0.3, 66:37:21, Inside
S 10.0.2.0 255.255.255.252 [1/0] via 172.22.8.20, Outside
D 10.0.0.0 255.255.255.0 [90/3072] via 172.16.0.3, 66:37:21, Inside
C 10.10.10.0 255.255.255.0 is directly connected, DMZ
S 10.0.1.0 255.255.255.252 [1/0] via 172.22.8.20, Outside
S 10.0.6.0 255.255.255.252 [1/0] via 172.22.8.20, Outside
S 10.0.4.0 255.255.255.252 [1/0] via 172.22.8.20, Outside
S 10.0.5.0 255.255.255.240 [1/0] via 172.22.8.20, Outside
S 10.0.25.0 255.255.255.0 [1/0] via 172.22.8.20, Outside
S 10.0.52.0 255.255.255.0 [1/0] via 172.22.8.20, Outside
S 192.168.0.0 255.255.255.0
[255/0] via 172.22.8.20, Outside
D 192.168.100.0 255.255.255.0 [90/3072] via 172.16.0.3, 66:37:21, Inside
! I have tried to remove the route below with the command "no route Outside 0 0 172.22.8.20" but always get the error %No matching route to delete
S* 0.0.0.0 0.0.0.0 [1/0] via 172.22.8.20, Outside
02-17-2014 10:41 AM
Are you or is anyone else connecting to the ASA via VPN?
I ask because there is the chance you may be getting a default route injected via reverse route injection (RRI) or other configuration inthe VPN.Such a route would show up in the routing table but not in the running configuration.
02-17-2014 12:35 PM
Hi Marvin,
First I want to say thanks for your help... Yes there are 2 L2L vpns connected to this particular device. I did not know what RRI was until you mentioned it. Also OSPF was enabled on this device but disabled it when I was trying to troubleshoot. I have access to one of the two devices involved with the VPN tunnels. Is there a way to verify that RRI is causing the route injection?
02-16-2014 02:43 AM
Hi,
Can you try clear configure route 0 0
Regards
Alain
Don't forget to rate helpful posts.
02-16-2014 05:17 AM
Hi,
Can you share your configuration! Then i short out what is the problem.
Regards
Parosh
02-17-2014 08:21 AM
Thanks for your replay alain. "configure" is not an option on my asa.
clear configure route 0 0
02-17-2014 08:31 AM
You need to be in global configuration mode before issuing the "clear configure route 0 0 " command.
Again, sharing your configuration (or at least the relevant sections) helps us better understand the problem. If you choose not to do so, our ability and willingness to assist is constrained.
02-17-2014 03:09 PM
Does your "Outside" interface have its IP address obtained from DHCP with the "setroute" option?
02-17-2014 03:13 PM
Excellent thought, jjohnston.
That sounds even more likely than the path I was going down with RRI. I hadn't considered that since I so seldom ever see a production ASA with DHCP addressing on its main interface (in fact I've only seen them described here - usually in people's home labs)
02-18-2014 09:57 AM
Thank you everyone for your help with my problem. After Marvin mentioned RRI I started looking at configurations and found this: "crypto map outside_map 1 set reverse-route" on the asa on the branch location. Before Marvin mentioned it I never knew what RRI was but added a few static routes and things are working now. So I think it was RRI after all.
02-18-2014 10:00 AM
Cool. Another one solved. Plus we all learn (or re-learn) something.
Thanks for the rating.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide