12-27-2012 12:30 PM - edited 03-07-2019 10:48 AM
Hi,
I have a MPLS connected router, using BGP to learn about other MPLS sites. This BGP information is redistributed into an OSPF instance between that router and an ASA. The problem I'm having is that a network route is not in the ASA is NOT correct.
192.168.4.0/24 is a subnet across the MPLS, and the ASA should see this as an E2 route via OSPF, but infact, it shows up as a static route with a next hop of the outside interface, cable modem ISP.
I have tried to clear the ospf process, to no avail. When I try to create a faux static route for the 192.168.4.0/24 network, I can't because a route is already "in place" (but not in the running-config).
I have scheduled a reboot of the ASA for tomorrow, but in the mean time, my curiousity has brought me here.
P.S. Other MPLS connected sites are operational, meaning those subnets show up as E2 learned routes in the ASA routing table. The next hop for destination 192.168.4.0/24 should be my MPLS router, 192.168.2.1, just like the other working MPLS sites. After running a traceroute on the ASA, the next hop is my cable modem default gateway.
TO MAKE A LONG STORY SHORT: I can't remove a "static" route from the ASA that doesn't exist in the config to begin with?!?!?!
Will post results tomorrow, after the reboot.
12-27-2012 08:30 PM
It could be coming from a DHCP pool used for VPN clients,
12-28-2012 01:34 PM
Rebooting did not change the routing table. I dont know why it shows up as static. I was thinking because there is a vpn tunnel configured for that subnet, as a backup. But the next hop is still the ISP, and not MPLS router. I looked into the OSPF database, and I do see 192.168.4.0/24 as external network in OSPF, but the static entry still shows up in the routing table of the ASA. This is now an issue as VPN'd users are not able to communicate to that subnet because the next hop is the ISP, when it should be the MPLS router.
12-28-2012 01:51 PM
Hmm, yes VPN-related as I suspected.
I think the problem is that even if you don't enable Reverse Route Injection (RRI), the backup route to that remote subnet is present in the ASA Routing table (albeit not distributed out). Anyone coming in via the ASA itself will see that static route as lowest cost and never even attempt to route out via the proper internal gateway.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809d07de.shtml
...mentions this fact.
I'm not positive; but I believe if your set the dynamic cryptomap to use RRI it will only inject the route when the backup VPN tunnel is up. Reference:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_ike.html#wp1042880
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide