Showing results for 
Search instead for 
Did you mean: 

Gateway of last resort is not set

I have a tricky problem, hopefully someone can shed some light on it.

We routed our internal network traffic from one of our main layer 3 switches, to a new firewall, instead of the one it was using for a long time. All I did on the L3 switch was remove the old static route to the old firewall and add the new static route pointing to the new firewall as the default route. For example: (IP Addresses are examples)

no ip route

ip route

Everything is working fine and everyone can get to the internet, no problems at all.

Here's the tricky part:

Later on, on the old firewall (ASA), I shut down the outside interface, there is nothing going through this firewall anymore since everything is being routed to the new firewall. As soon as I shut the interface down, I was getting reports of users in different locations not being able to reach the internet. I noticed that on one of our layer 3 switches when I did a "sh ip route" I saw the following:

"Gateway of last resort is not set"

"Then a list of all our internal network listed below here using O and O E2.."

So, internal routing was fine but anything outside of that, (internet) had no gateway.

As soon as I did a "no shut" on the ASA's outside interface and looked on one of the layer 3 switches the default gateway came back:

Gateway of last resort is to network

O*E2 [110/1] via, 00:00:21, Vlan5

"Then a list of all our internal network listed below here using O and O E2.."


On the ASA's outside interface is:

interface GigabitEthernet0/1
nameif outside
security-level 0
ip address
ospf cost 10
ospf network point-to-point non-broadcast

Also, on the ASA:

#sh run router

router ospf 1
network area 0
area 0
default-information originate
router rip
passive-interface dmz
passive-interface outside


How is turning off the ASA's outside interface removing the default gateway from the layer 3 switches?




1 Accepted Solution

Accepted Solutions

Hello tolinrome,

the old ASA OSPF configuration has the following command:


router ospf 1

>>default-information originate


In your previous setup the old ASA was in charge to generate an OSPF default route that is injected in the OSPF domain and installed in all downstream = more internal switches.

When you shut the outside interface on the old ASA the local default route is removed and the old ASA will remove the LSA type 5

So you have two options:

or you make the new firewall to take part in OSPF and to generate the default route like the old ASA did up to now

or you apply the default-information originate command in router ospf mode on the L3 switch directly connected to the new firewall.


Hope to help



View solution in original post

6 Replies 6



Did you issue "sh ip route" after changing the static route?

Did it show the new gateway of last resort?