Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
858
Views
0
Helpful
4
Replies

ASAs and more-specific static routes

Go to solution
mmelbourne
Level 5
Level 5

‎07-12-2019 06:12 AM

I had a situation with an ASA 5525-X running 9.6(4)25.

 

There was a static route in place for (say) 10.1.1.0/24 out of one interface, e.g.

route intf-1 10.1.1.0 255.255.255.0 <next-hop>

 

A more-specific route was then required out of another interface e.g.

route intf-2 10.1.1.48 255.255.255.240 <next-hop>

 

However, when adding the more-specific route, the traffic was not routed via this interface; the less-specific was still honoured for destinations in 10.1.1.48/28.

 

When the less-specific (10.1.1.0/24) was removed, the traffic flowed correctly.

 

Could it be the case that routes to destinations are 'cached' in some way, which might explain why the the more-specific was not used when both routes were present?

 

Cheers,
Matt

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎07-12-2019 06:30 AM

Were connection tables already built for the traffic that you were testing? If the ASA matches an existing connection table entry, it will use the destination interface based on that. You may have to clear the connection and xlate table for the corresponding traffic. If it just 1 host you are testing with, use the "clear local-host x.x.x.x" command to do this. 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-12-2019 06:20 AM

Is the next hop is same for both ? why not consider PBR in this case.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
mmelbourne
Level 5
Level 5
In response to balaji.bandi

‎07-12-2019 06:23 AM

Different next-hops (different interfaces), and no PBR required, just want anything that's not in the 10.1.1.48/28 network to be routed out intf-1. This should be basic more-specific route wins.

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎07-12-2019 06:30 AM

Were connection tables already built for the traffic that you were testing? If the ASA matches an existing connection table entry, it will use the destination interface based on that. You may have to clear the connection and xlate table for the corresponding traffic. If it just 1 host you are testing with, use the "clear local-host x.x.x.x" command to do this. 

0 Helpful

Go to solution
mmelbourne
Level 5
Level 5
In response to Rahul Govindan

‎07-12-2019 06:38 AM

Thanks, I think was probably it, the connection tables were likely built (ICMP monitoring and UDP snmp/syslog traffic at the time of routing change).

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card