Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
984
Views
0
Helpful
3
Replies

OSPF and Static Routes on ASA

Eric Glodowski
Level 1
Level 1

‎12-27-2012 12:30 PM - edited ‎03-07-2019 10:48 AM

Hi,

I have a MPLS connected router, using BGP to learn about other MPLS sites.  This BGP information is redistributed into an OSPF instance between that router and an ASA.  The problem I'm having is that a network route is not in the ASA is NOT correct.

192.168.4.0/24 is a subnet across the MPLS, and the ASA should see this as an E2 route via OSPF, but infact, it shows up as a static route with a next hop of the outside interface, cable modem ISP.

I have tried to clear the ospf process, to no avail.  When I try to create a faux static route for the 192.168.4.0/24 network, I can't because a route is already "in place" (but not in the running-config).

I have scheduled a reboot of the ASA for tomorrow, but in the mean time, my curiousity has brought me here.

P.S.  Other MPLS connected sites are operational, meaning those subnets show up as E2 learned routes in the ASA routing table.  The next hop for destination 192.168.4.0/24 should be my MPLS router, 192.168.2.1, just like the other working MPLS sites.  After running a traceroute on the ASA,  the next hop is my cable modem default gateway.

TO MAKE A LONG STORY SHORT:  I can't remove a "static" route from the ASA that doesn't exist in the config to begin with?!?!?!

Will post results tomorrow, after the reboot.

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-27-2012 08:30 PM

It could be coming from a DHCP pool used for VPN clients,

0 Helpful

Eric Glodowski
Level 1
Level 1
In response to Marvin Rhoads

‎12-28-2012 01:34 PM

Rebooting did not change the routing table.  I dont know why it shows up as static.  I was thinking because there is a vpn tunnel configured for that subnet, as a backup.  But the next hop is still the ISP, and not MPLS router.  I looked into the OSPF database, and I do see 192.168.4.0/24 as external network in OSPF, but the static entry still shows up in the routing table of the ASA.  This is now an issue as VPN'd users are not able to communicate to that subnet because the next hop is the ISP, when it should be the MPLS router.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Eric Glodowski

‎12-28-2012 01:51 PM

Hmm, yes VPN-related as I suspected.

I think the problem is that even if you don't enable Reverse Route Injection (RRI), the backup route to that remote subnet is present in the ASA Routing table (albeit not distributed out). Anyone coming in via the ASA itself will see that static route as lowest cost and never even attempt to route out via the proper internal gateway.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809d07de.shtml

...mentions this fact.

I'm not positive; but I believe if your set the dynamic cryptomap to use RRI it will only inject the route when the backup VPN tunnel is up. Reference:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_ike.html#wp1042880

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card