cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
700
Views
3
Helpful
5
Replies

ASA1100: Why are there two routes to 0.0.0.0? Which is used?

Hello.

(obfuscated)
ASA1100#sh route static
Gateway of last resort is 63.229.172.2 to network 0.0.0.0

S 172.16.0.0 255.255.0.0 [1/0] via 172.16.99.1, inside
S 0.0.0.0 0.0.0.0 [255/0] via 172.16.99.1, inside tunneled
---
# sh route 0.0.0.0 0.0.0.0

Routing entry for 0.0.0.0 0.0.0.0, supernet
Known via "eigrp 1", distance 170, metric 51712, candidate default path
 type external
Redistributing via eigrp 1
Last update from 63.229.172.2 on outside1, 782:33:53 ago
Routing Descriptor Blocks:
* 63.229.172.2, from 63.229.172.2, 782:33:53 ago, via outside
Loading 1/255, Hops 1
S 0.0.0.0 0.0.0.0 [255/0] via 172.16.99.1, inside tunneled

QUESTIONS:

Why are there two routes to 0.0.0.0? 

Which route is used for non-tunneled traffic?

Which route is used for L2L tunneled traffic?

Thank you.

1 Accepted Solution

Accepted Solutions

@Giuseppe Larosa  >>> The floating static route with AD 255 is strange <<<
look at this post: Solved: Routes with a 255 administrative distance are considered unreachable? - Cisco Community
ASA behaves differently and considers an administrative distance (AD) of 255 as the worst AD, but still considers it as valid.

@jmaxwellUSAF look at the same post as above
This different ASA behavior only applies to the ASA

tunneled default route

feature. The behavior is exactly the same as IOS if the administrative distance is set to 255 on any other route. 

View solution in original post

5 Replies 5

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @jmaxwellUSAF ,

interesting question

 

>> Routing entry for 0.0.0.0 0.0.0.0, supernet
Known via "eigrp 1", distance 170, metric 51712, candidate default path

the

EIGRP D EX 0.0.0.0/0

is the used one.

The floating static route with AD 255 is strange:  in a Cisco router AD 255 is not usable the last usable value is 254, here we see 255 and it appears in the routing table  with the attribute inside tunneled.

What is sent over the IPSec tunnel depends on your configuration of crypto map if you are using Policy Based VPN .

If you are using a static VTI logical interface , it becomes a route based VPN and the tunnel is used for destination routes pointing to the VTI peer address ( I suppose so)

From FDM 7.0 admin guide

"Type—How you will identify which traffic should be sent through the VPN tunnel. Select one of the
following:
• Route Based (VTI)—You will use the routing table, primarily static routes, to define the local and
remote networks that should participate in the tunnel. If you select this option, you must select a
Virtual Tunnel Interface (VTI) as the local VPN access interface. You must also use a static IP
address for the remote end of the tunnel. Ensure that you configure the appropriate static routes and
access control rules for the VTI after you create the VPN connection profile.
• Policy Based—You will specify the local and remote networks directly in the site-to-site VPN
connection profile. This is the classic approach to defining which traffic should be protected by the
VPN tunnel.

"

Hope to help

Giuseppe

@Giuseppe Larosa  >>> The floating static route with AD 255 is strange <<<
look at this post: Solved: Routes with a 255 administrative distance are considered unreachable? - Cisco Community
ASA behaves differently and considers an administrative distance (AD) of 255 as the worst AD, but still considers it as valid.

@jmaxwellUSAF look at the same post as above
This different ASA behavior only applies to the ASA

tunneled default route

feature. The behavior is exactly the same as IOS if the administrative distance is set to 255 on any other route. 

Hello @pieterh ,

thanks for your contribute in this thread, I guessed that AD 255 in ASA could be treated in a different manner.

but the mentioned thread was originated by the same OP @jmaxwellUSAF !

Best Regards

Giuseppe

 

Hi @jmaxwellUSAF 

 I see only one route. You ran two different command

show ip route static

and

show ip route 0.0.0.0

But the route you see is the same. Same administrative distance, same gateway, same route. 

 

" I see only one route. You ran two different command

show ip route static

  and

show ip route 0.0.0.0
--

ASA1100#sh route static

Gateway of last resort is 63.229.172.2 to network 0.0.0.0

S 172.16.0.0 255.255.0.0 [1/0] via 172.16.99.1, inside
S 0.0.0.0 0.0.0.0 [255/0] via 172.16.99.1, inside tunneled

--

The green text states that to get to 0.0.0.0, the path is 63.229.172.2

The red text states that to get to 0.0.0.0, the path is 172.16.99.1

 

Review Cisco Networking for a $25 gift card