05-17-2017 07:21 PM - edited 03-12-2019 02:23 AM
Our ASA, version 9.6.1, has multiple static routes showing in the routing table that are not in the configuration as a "route" statement.
For example:
#sh route | i 192.168.1.0
S 192.168.1.0 255.255.255.0 [1/0] via 1.1.1.1, Outside
#sh run | i 192.168.1.0
access-list route_map_acl standard permit host 192.168.1.0
#
Is a route-map doing this somehow? Any ideas what would cause this?
Solved! Go to Solution.
05-18-2017 11:04 AM
It is possible that reverse route is pushing this route in
Are these VPN tunnels
route_map_acl where is this being used? can you share complete configuration related to this
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
05-18-2017 09:57 AM
Hi,
1. Is this a standalone or device in failover?
2. If failover, is this active or
3. Do you have any IP SLA tracking for
4. output of "show resource usage"
5. output of "show run all | in 192.168.1.0"
6. output of "show run all crypto map | in reverse-route"
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
05-18-2017 10:51 AM
Active/Standby failover. This device is secondary-active while the other is in primary-standby. The primary is also running 9.1.6. It's setup this way just while we test; we want to get this issue resolved before we move both permanently to 9.6.1
No IP SLA's are configured.
4. and 5. I'm unable to complete at the moment. On 6, below is the normal show run for this crypto map. We do have reverse-route setup on all of our crypto maps.
crypto map Outside_map 21 match address Outside_cryptomap_20
crypto map Outside_map 21 set pfs
crypto map Outside_map 21 set peer 2.3.4.5
crypto map Outside_map 21 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-
DES-MD5
crypto map Outside_map 21 set nat-t-disable
crypto map Outside_map 21 set reverse-route
05-18-2017 11:04 AM
It is possible that reverse route is pushing this route in
Are these VPN tunnels
route_map_acl where is this being used? can you share complete configuration related to this
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
05-18-2017 11:25 AM
Yes, this tunnel is up and the static route matches the ACL in the crypto map, so that must be where this route is coming from.
We have other tunnels though that come up when the remote peer initiates the connection, but the static routes do not get created and show crypto ipsec sa shows decrypts but no encrypts. The tunnels are configured the same as far as I can tell; I confirmed these one-way tunnels also have the reverse-route configured.
05-18-2017 06:00 PM
Glad I could be of help!
That will be quite unusual if you have reverse-route set for other VPN tunnels and routes are not properly getting populated. That goes in accordance with the fact that encrypt counters are not incrementing.
Great find on https://supportforums.cisco.com/discussion/11617891/asa-5515-x-reverse-route-injection-lan-lan-problem-eigrp-redistribution.
You might want to check for any known defects on RRI for your ASA version.
Regards,
Dinesh Moudgil
05-18-2017 11:27 AM
The route_map_acl is only being used in a route map that redistributes static routes to ospf.
05-18-2017 03:01 PM
The link below is what I think we're running into. Thanks for your help Dinesh!
https://supportforums.cisco.com/discussion/11617891/asa-5515-x-reverse-route-injection-lan-lan-problem-eigrp-redistribution
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide