A basic question about Policy-Based VPN Tunnel with ASA/FTD.

bokilmokil89 · ‎06-10-2025

When you setup a policy-based Site-to-Site VPN Tunnel with ASA/FTD on oneside or both, the firewall would automatically inject a V route of the remote prefix into the routing table.

If this tunnel is up, traffic flows as expected. But if the tunnel is down for some reason, would this V route be withdraw from routing table OR would this V route persist in the routing table?

I remember the behaviour is the firewall would remove the V route if the policy-based VPN Tunnel is down. But with the FTD v7.2, it seems like the V route persist...Did behaviour change between versions?

MHM Cisco World · ‎06-19-2025

Hi

You use any routing protocol or you use ikev2 to inject prefix ?

MHM

GIZOOOOOO8452 · ‎06-22-2025

Hello dear

The v route is usually added by default once you use reverse route command into your crypto map configuration

If this route make any issues for your setup

You have two options

1 - remove reverse route command and add manually static route and like it with ipsla to be removed once the remote peer do down

2- recommend setup to convert it to be route Base VPN svti

Let me know it that answer your question

Thanks and good luck

wajidhassan · ‎06-27-2025

In policy-based VPNs on ASA/FTD, the V route is typically removed when the tunnel goes down—especially when using reverse-route injection. However, with FTD v7.2, the route may persist, suggesting a change in behavior. You can manage this by either removing the reverse-route and using static routes with IP SLA or switching to a route-based VPN using SVTI for better control.