I apologize for not being clear hopefully this helps. Basically the  default route should be: route DMZ 0.0.0.0 0.0.0.0 10.10.10.5, I had to  add a metric of 2 because otherwise it would conflict with the Gateway  of last resort, the interesting part is if I try to remove the current  gateway of last resort then the error I get is  %No matching route to delete and I try to add the new route I get ERROR: Cannot add route entry, conflict with existing routes.

**"show ip address" output---

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       Outside               172.22.8.166    255.255.252.0   CONFIG

GigabitEthernet0/3       DMZ                   10.10.10.16     255.255.255.0   CONFIG

Management0/0            management      192.168.100.1   255.255.255.0   CONFIG

GigabitEthernet1/0       Inside                 172.16.0.2      255.255.252.0   CONFIG

GigabitEthernet1/1       VPN                    X.X.X.X          255.255.255.240 CONFIG

Current IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       Outside               172.22.8.166    255.255.252.0   CONFIG

GigabitEthernet0/3       DMZ                   10.10.10.16     255.255.255.0   CONFIG

Management0/0            management      192.168.100.1   255.255.255.0   CONFIG

GigabitEthernet1/0       Inside                 172.16.0.2      255.255.252.0   CONFIG

GigabitEthernet1/1       VPN                    X.X.X.X          255.255.255.240 CONFIG

**"show running-config" output---

!The DMZ route should be the gateway of last resort

route DMZ 0.0.0.0 0.0.0.0 10.10.10.5 2

route Outside 10.0.1.0 255.255.255.252 172.22.8.20 1

route Outside 10.0.2.0 255.255.255.252 172.22.8.20 1

route Outside 10.0.4.0 255.255.255.252 172.22.8.20 1

route Outside 10.0.5.0 255.255.255.240 172.22.8.20 1

route Outside 10.0.6.0 255.255.255.252 172.22.8.20 1

route Outside 10.0.25.0 255.255.255.0 172.22.8.20 1

route Outside 10.0.52.0 255.255.255.0 172.22.8.20 1

route Inside 172.16.0.0 255.255.252.0 172.16.0.3 1

route Outside 172.16.6.0 255.255.255.0 172.16.6.1 1

route Outside 172.22.0.0 255.255.0.0 172.22.8.20 10

route Outside 192.168.0.0 255.255.255.0 172.22.8.20 255

route DMZ 192.168.200.0 255.255.255.0 156.108.124.66 1

**"show route" output ---

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is 172.22.8.20 to network 0.0.0.0

S    172.16.6.0 255.255.255.0 [1/0] via 172.16.6.1, Outside

                              [1/0] via 172.22.8.20, Outside

C    172.16.0.0 255.255.252.0 is directly connected, Inside

C    172.22.8.0 255.255.252.0 is directly connected, Outside

S    172.22.0.0 255.255.0.0 [10/0] via 172.22.8.20, Outside

D    192.168.4.8 255.255.255.252 [90/2178816] via 172.16.0.3, 66:37:21, Inside

D    192.168.4.9 255.255.255.255 [90/2178816] via 172.16.0.3, 66:37:21, Inside

S    10.0.2.0 255.255.255.252 [1/0] via 172.22.8.20, Outside

D    10.0.0.0 255.255.255.0 [90/3072] via 172.16.0.3, 66:37:21, Inside

C    10.10.10.0 255.255.255.0 is directly connected, DMZ

S    10.0.1.0 255.255.255.252 [1/0] via 172.22.8.20, Outside

S    10.0.6.0 255.255.255.252 [1/0] via 172.22.8.20, Outside

S    10.0.4.0 255.255.255.252 [1/0] via 172.22.8.20, Outside

S    10.0.5.0 255.255.255.240 [1/0] via 172.22.8.20, Outside

S    10.0.25.0 255.255.255.0 [1/0] via 172.22.8.20, Outside

S    10.0.52.0 255.255.255.0 [1/0] via 172.22.8.20, Outside

S    192.168.0.0 255.255.255.0

           [255/0] via 172.22.8.20, Outside

D    192.168.100.0 255.255.255.0 [90/3072] via 172.16.0.3, 66:37:21, Inside

! I have tried to remove the route below with the command "no  route Outside 0 0 172.22.8.20" but always get the error %No matching  route to delete

S*   0.0.0.0 0.0.0.0 [1/0] via 172.22.8.20, Outside

Hi Marvin,

First I want to say thanks for your help... Yes there are 2 L2L vpns connected to this particular device. I did not know what RRI was until you mentioned it. Also OSPF was enabled on this device but disabled it when I was trying to troubleshoot. I have access to one of the two devices involved with the VPN tunnels. Is there a way to verify that RRI is causing the route injection?

Hi,

Can you share your configuration! Then i short out what is the problem.

Regards

Parosh

Thanks for your replay alain. "configure" is not an option on my asa.

clear configure route 0 0

You need to be in global configuration mode before issuing the "clear configure route 0 0 " command.

Reference.

Again, sharing your configuration (or at least the relevant sections) helps us better understand the problem. If you choose not to do so, our ability and willingness to assist is constrained.

Does your "Outside" interface have its IP address obtained from DHCP with the "setroute" option?

Excellent thought, jjohnston.

That sounds even more likely than the path I was going down with RRI. I hadn't considered that since I so seldom ever see a production ASA with DHCP addressing on its main interface (in fact I've only seen them described here - usually in people's home labs)

Cool. Another one solved. Plus we all learn (or re-learn) something.

Thanks for the rating.