Folks,

I have a problem with an ASA (5520), running asa944-16-smp-k8, not accepting a default route via OSPF. Below is a description of my setup:

Have two internet service providers which connect to the two routers on GI0/0s. Let's call them outside interfaces. Each interface configured as a /30 to the upstream service provider router. My routers receive a default route via BGP, and manipulate the AS path via prepend command so that all return traffic goes through a specific provider. Pretty much standard setup.

Behind the routers, I have three devices: two ASA 5525 (in active/standby config), acting as my mail firewall, and an ASA 5520, functioning as a standalone VPN device. All routers (GI0/1s - "internal" interfaces), and ASA's outside interfaces are tied together via OSPF in area 0. Both routers redistribute the default route from BGP  via redistibute OSPF command. I preference my preferred route using higher metrics on the injected route. As a result, I have two 0.0.0.0 routes on my firewalls, with only one being active. This is the intended behavior, and it works well if I need to failover onto another provider. But, my VPN router does not have any default routes. It participates in OSPF, can see all neighbors and is receiving the LSAs. The only config difference between the VPN ASA and the firewall ASA is that the firewall, being my gateway for all outbound traffic, has default-information originate configured. Since my VPN ASA handles only VPN traffic, I never needed it to be a default gateway...

So my question is whether I need to configure default-information originate configured on the VPN ASA in order for it to receive the distributed  default routes. And if it is so, how should I set up the metric on it so that its outside interface never becomes the default gateway.

Thank you,   Paul