Solved: Why Anyconnect VPN endpoint traceroute different than ASA route table?

jmaxwellUSAF · ‎10-25-2023

Hello.

When Anyconnect

endpoint traceroute to 172.25.1.1,it exits ASA5525 public outside interfacee (which is 0.0.0.0 0.0.0.0 LAN default route.) (Tunneled default route is 172.16.x.x = inside interface)

ASA5525# sh route 172.25.1.1
Routing entry for 172.25.0.0 255.255.0.0 Known via "eigrp 1", distance 170, metric 282112, type external Redistributing via eigrp 1 Last update from 172.16.28.66 on inside, Routing Descriptor Blocks: * 172.16.28.66 , from 172.16.28.66 , 0:59:30 ago, via inside

ASA5525# sh route
!! output pruned. !!
Gateway of last resort is 60.1.6.5 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 65.51.196.65, outside
D EX 172.25.0.0 255.255.0.0
[170/282112] via 172.16.28.66, inside
S 0.0.0.0 0.0.0.0 [255/0] via 172.16.1.1, inside tunneled

ASA5525 # traceroute 172.25.1.1
1 172.16.28.66 1 msec 1 msec 1 msec
3 172.25.1.1 11 msec 10 msec 10 msec
trace complete.
=====

My workstation WebVPN connection through this

ASA5525...
>TRACERT 172.25.1.1
1 13 ms * 13 ms    60.1.6.5
2 26 ms 25 ms 30 ms   172.25.1.1

QUESTION: Why does my WebVPN connected workstation route to this

172.25.1.1

destination through the

ASA outside interface

, instead of the listed route through the

inside interface

"?

Thank you.

Richard Burts · ‎10-26-2023

Perhaps there is something I am not understanding in your situation. But it seems to me that the explanation is that the workstation is reaching your ASA using an encrypted tunnel and that the

outside interface

is where the tunnel connects.

HTH

Rick

View solution in original post

Richard Burts · ‎10-26-2023

Perhaps there is something I am not understanding in your situation. But it seems to me that the explanation is that the workstation is reaching your ASA using an encrypted tunnel and that the

outside interface

is where the tunnel connects.

HTH

Rick

jmaxwellUSAF · ‎10-26-2023

So you are saying that ...

workstation>TRACERT 172.25.1.1
1 13 ms * 13 ms    60.1.6.5
2 26 ms 25 ms 30 ms   172.25.1.1

---

...60.1.6.5

is the first hop into the LAN. Well then, as seen in the ASA traceroute

...

---

ASA5525# traceroute 172.25.1.1
1 172.16.28.66 1 msec 1 msec 1 msec
3 172.25.1.1 11 msec 10 msec 10 msec
trace complete.

---

...Why doesn't

172.16.28.66

appear in the

workstation traceroute?

(This is an important hop in the circuit-- it is a DMVPN tunnel. I need to confirm that this Anyconnect traffic is traversing this DMVPN tunnel.)

Richard Burts · ‎10-26-2023

The original question was why

tracert

from the workstation used the ASA outside as its next hop. I believe that my suggestion addresses that. Now the question becomes why does

tracert

from the workstation see the

172.25.1.1

without seeing

172.16.28.66.

I do not know enough about your environment to have an explanation for that.

HTH

Rick

Richard Burts · ‎10-26-2023

I am glad that my suggestion about the first question was helpful. Thank you for marking it as solved. I am sorry that we did not make progress on the second question but realize that explaining the details of your environment might have exposed some sensitive information that is not appropriate in a public forum like this.

HTH

Rick