Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
703
Views
0
Helpful
1
Replies

ASA creates RRI routes even from deny crypto map ACLs

ROBERTO GIANA
Level 4
Level 4

‎04-16-2012 12:27 PM - edited ‎03-11-2019 03:54 PM

Hi

Has anybody seen the same? The ASA creates RRI routes even for deny statements of the crypto map ACL. :-) So if you have a s2s VPN tunnel and you want some traffic not to be sent over the tunnel you make deny statements within the crypto map ACL. But those deny statements create also static routes in the routing table.

So my ASA is attracting traffic with RRI which I explicitly do not want to have at the ASA.

Is that a documented feature?

How can it be disabled without disabling RRI?

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎04-16-2012 04:15 PM

Hi,

Wouldnt you leave all the traffic that you dont want tunneled out of the list to begin with?

And just specify the list to match only the traffic that needs to use the tunnel?

I cant remember EVER using deny statements on a L2L VPN access-list

Can you elaborate your situation abit more with the access-list and networks/hosts involved in the setup.

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card