Solved: Cisco ASA static route Administrative Distance

Samir Aliyev · ‎08-20-2014

Hello Dear Engineers,

In Cisco ASA 8.2(5) version I configured Static Route Floating with different Administrative Distances (for example, 10) , but IOS cannot accept this parameter. for verifying, show route command result shows administrative distance as 1 .

Configuration example:

ip route 10.0.0.0 255.255.255.0 192.168.1.1 1 track 1

ip route 10.0.0.0 255.255.255.0 192.168.2.1 10

S   10.0.0.0 255.255.255.0 [1/0] via 192.168.2.1, outside2

Is this the bug of the IOS, or may-be I misconfigured something?

Thanks in advance.

nkarthikeyan · ‎08-21-2014

Hi Samir,

Even Pix 8.0 version shows the correct ad value defined..... might be that would be a bug or misconfiguration from your end.

pixfirewall(config-if)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 1.1.1.2 to network 0.0.0.0

C    1.1.1.0 255.255.255.0 is directly connected, out1
C    2.2.2.0 255.255.255.0 is directly connected, out2
S*   0.0.0.0 0.0.0.0 [1/0] via 1.1.1.2, out1
pixfirewall(config-if)# shut
pixfirewall(config-if)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 2.2.2.2 to network 0.0.0.0

C 2.2.2.0 255.255.255.0 is directly connected, out2
S* 0.0.0.0 0.0.0.0 [100/0] via 2.2.2.2, out2
pixfirewall(config-if)#

Regards

Karthik

View solution in original post

Richard Burts · ‎08-20-2014

I doubt that it is a bug. I see at least two ways in which you have misconfigured something.

- configuring a static route on the ASA requires that you specify the outbound interface in the ip route command, which you have not done.

- I have checked the config guide of 8.2 and I do not find any option for track which is part of the config that you show.

Given that the config statements that you show are invalid on ASA I am not clear how the entry got into the routing table of the ASA and whether it was entered with distance of 10 or not. I did find this example in the documentation which seems to indicate that a static correctly configured with a higher distance will have that distance show up in the output of show route

S 10.1.1.0 255.255.255.0 [3/0] via 10.86.194.1, outside

HTH

Rick

HTH

Rick

Karsten Iwen · ‎08-20-2014

Hi Rick,

route-tracking is also available in 8.2 (if I remember right, it was added to ASA v7.2):

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/route_static.html#wp1119813

Richard Burts · ‎08-20-2014

Karsten

Thank you for adding something that I did not know about the ASA - and +5 for the contribution. When I looked in the config guide I did not see the track option in the explanation of configuring static routes. I see that I should have looked further and found the later section that discussed how to add the track feature to a static route.

HTH

Rick

HTH

Rick

Samir Aliyev · ‎08-20-2014

Sorry.

here I typed static routing command manually, I forgot about interfaces:

route outside1 10.0.0.0 255.255.255.0 192.168.1.1 1 track 1

route outside2 10.0.0.0 255.255.255.0 192.168.2.1 10

Karsten Iwen · ‎08-20-2014

That's exactly how it should work. Please show the resulting routing table.

Samir Aliyev · ‎08-20-2014

S   10.0.0.0 255.255.255.0 [1/0] via 192.168.2.1, outside2

1. After getting down primary link, route through backup link comes up. Than is okey.

BUT

Seems the ASA couldnot accept Administrative Distance parameter for backup route, which AD is 10 .

it must shown like as [10/0]

nkarthikeyan · ‎08-21-2014

Hi Samir,

It happens you expect when configure the backup route for a same interface..... with AD... if you do that for a backup interface say outside2 as per your scenario will take it as 1... since you do not have anyother default route for outside2 interface..... It considers as per the standard..... hope it clarifies your doubt..... All based on assumption... but it not happens in 8.4 version... even it shows the backup route...... it shows with the defined AD.

Regards

Karthik

nkarthikeyan · ‎08-21-2014

Hi Samir,

Even Pix 8.0 version shows the correct ad value defined..... might be that would be a bug or misconfiguration from your end.

pixfirewall(config-if)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 1.1.1.2 to network 0.0.0.0

C    1.1.1.0 255.255.255.0 is directly connected, out1
C    2.2.2.0 255.255.255.0 is directly connected, out2
S*   0.0.0.0 0.0.0.0 [1/0] via 1.1.1.2, out1
pixfirewall(config-if)# shut
pixfirewall(config-if)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 2.2.2.2 to network 0.0.0.0

C 2.2.2.0 255.255.255.0 is directly connected, out2
S* 0.0.0.0 0.0.0.0 [100/0] via 2.2.2.2, out2
pixfirewall(config-if)#

Regards

Karthik

Samir Aliyev · ‎08-22-2014

Dears,

I've found the root couse.

The route cause was - Reverse-Route-Injection for site-to-site VPN

Static routes for interesting remote LAN subnets (10.0.0.0/24) was added automatically to the routing table by crypto map RRI feature.

so I deleted 'crypto map outside_map 1 set reverse-route' command.

And problem has been solved.

Thank you all.

Sorry for inconvenience.

Karsten Iwen · ‎08-21-2014

please show the complete output of show run route and show route.

Karsten Iwen · ‎08-20-2014

On ASA it works similar as on the router. Here is an example:

I configured the route with an AD of 200:

route WAN 192.168.100.0 255.255.255.0 192.168.1.254 200

And a show route reflects that config:

S 192.168.100.0 255.255.255.0 [200/0] via 192.168.1.254, WAN

But this route is only visible with "show route" it it gets installed in the routing-table. That means, if there is a better route to that network, this route is not there.