08-20-2014 06:26 AM - edited 03-11-2019 09:39 PM
Hello Dear Engineers,
In Cisco ASA 8.2(5) version I configured Static Route Floating with different Administrative Distances (for example, 10) , but IOS cannot accept this parameter. for verifying, show route command result shows administrative distance as 1 .
Configuration example:
ip route 10.0.0.0 255.255.255.0 192.168.1.1 1 track 1
ip route 10.0.0.0 255.255.255.0 192.168.2.1 10
S 10.0.0.0 255.255.255.0 [1/0] via 192.168.2.1, outside2
Is this the bug of the IOS, or may-be I misconfigured something?
Thanks in advance.
Solved! Go to Solution.
08-21-2014 03:40 AM
Hi Samir,
Even Pix 8.0 version shows the correct ad value defined..... might be that would be a bug or misconfiguration from your end.
pixfirewall(config-if)# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 1.1.1.2 to network 0.0.0.0
C 1.1.1.0 255.255.255.0 is directly connected, out1
C 2.2.2.0 255.255.255.0 is directly connected, out2
S* 0.0.0.0 0.0.0.0 [1/0] via 1.1.1.2, out1
pixfirewall(config-if)# shut
pixfirewall(config-if)# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 2.2.2.2 to network 0.0.0.0
C 2.2.2.0 255.255.255.0 is directly connected, out2
S* 0.0.0.0 0.0.0.0 [100/0] via 2.2.2.2, out2
pixfirewall(config-if)#
Regards
Karthik
08-20-2014 07:16 AM
I doubt that it is a bug. I see at least two ways in which you have misconfigured something.
- configuring a static route on the ASA requires that you specify the outbound interface in the ip route command, which you have not done.
- I have checked the config guide of 8.2 and I do not find any option for track which is part of the config that you show.
Given that the config statements that you show are invalid on ASA I am not clear how the entry got into the routing table of the ASA and whether it was entered with distance of 10 or not. I did find this example in the documentation which seems to indicate that a static correctly configured with a higher distance will have that distance show up in the output of show route
S 10.1.1.0 255.255.255.0 [3/0] via 10.86.194.1, outside
HTH
Rick
08-20-2014 07:28 AM
Hi Rick,
route-tracking is also available in 8.2 (if I remember right, it was added to ASA v7.2):
08-20-2014 07:42 AM
Karsten
Thank you for adding something that I did not know about the ASA - and +5 for the contribution. When I looked in the config guide I did not see the track option in the explanation of configuring static routes. I see that I should have looked further and found the later section that discussed how to add the track feature to a static route.
HTH
Rick
08-20-2014 08:57 PM
Sorry.
here I typed static routing command manually, I forgot about interfaces:
route outside1 10.0.0.0 255.255.255.0 192.168.1.1 1 track 1
route outside2 10.0.0.0 255.255.255.0 192.168.2.1 10
08-20-2014 10:56 PM
That's exactly how it should work. Please show the resulting routing table.
08-20-2014 11:37 PM
S 10.0.0.0 255.255.255.0 [1/0] via 192.168.2.1, outside2
1. After getting down primary link, route through backup link comes up. Than is okey.
BUT
Seems the ASA couldnot accept Administrative Distance parameter for backup route, which AD is 10 .
it must shown like as [10/0]
08-21-2014 03:29 AM
Hi Samir,
It happens you expect when configure the backup route for a same interface..... with AD... if you do that for a backup interface say outside2 as per your scenario will take it as 1... since you do not have anyother default route for outside2 interface..... It considers as per the standard..... hope it clarifies your doubt..... All based on assumption... but it not happens in 8.4 version... even it shows the backup route...... it shows with the defined AD.
Regards
Karthik
08-21-2014 03:40 AM
Hi Samir,
Even Pix 8.0 version shows the correct ad value defined..... might be that would be a bug or misconfiguration from your end.
pixfirewall(config-if)# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 1.1.1.2 to network 0.0.0.0
C 1.1.1.0 255.255.255.0 is directly connected, out1
C 2.2.2.0 255.255.255.0 is directly connected, out2
S* 0.0.0.0 0.0.0.0 [1/0] via 1.1.1.2, out1
pixfirewall(config-if)# shut
pixfirewall(config-if)# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 2.2.2.2 to network 0.0.0.0
C 2.2.2.0 255.255.255.0 is directly connected, out2
S* 0.0.0.0 0.0.0.0 [100/0] via 2.2.2.2, out2
pixfirewall(config-if)#
Regards
Karthik
08-22-2014 12:20 AM
Dears,
I've found the root couse.
The route cause was - Reverse-Route-Injection for site-to-site VPN
Static routes for interesting remote LAN subnets (10.0.0.0/24) was added automatically to the routing table by crypto map RRI feature.
so I deleted 'crypto map outside_map 1 set reverse-route' command.
And problem has been solved.
Thank you all.
Sorry for inconvenience.
08-21-2014 12:11 AM
please show the complete output of show run route and show route.
08-20-2014 07:21 AM
On ASA it works similar as on the router. Here is an example:
I configured the route with an AD of 200:
route WAN 192.168.100.0 255.255.255.0 192.168.1.254 200
And a show route reflects that config:
S 192.168.100.0 255.255.255.0 [200/0] via 192.168.1.254, WAN
But this route is only visible with "show route" it it gets installed in the routing-table. That means, if there is a better route to that network, this route is not there.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide