Thank you for your reply.

"why are the anyconnect users (10.2.200.x) on the inside interface?" --The 10.2.200.x subnet is the subnet assigned to AnyConnect VPN connections. (by the way, there exists a split-tunnel config, but I don't think that is relevant here.)

What is wrong with AnyConnect users being on the inside interface? Where should they be?

How should routing be configured?

(Would it be best to share with you some config output?)

Thank you.

@jmaxwellUSAF the anyconnect users connect to the outside interface. You'd not connect to the VPN if you were connected to the inside interface, that's the trusted network!

The ASA doesn't need a route to the anyconnect ip pool via the inside network, if that's what you've configured.

Yes share some configuration.

I don't understand how the routing should be configured here.

What commands should I run to display helpful data here?

you dont need any route for anyconnect, when you anyconnect is active the route with /32 is add to ASA routing table with egress interface is OUTside, 
@Rob Ingram mention why these anyconnect is source from INside not from OUTside ?
you have issue in routing, did you check my link ? I think you dont. 

Hi MHM. I thought your idea was different than Rob's idea. I did check that link. I was exploring Rob's first. Now I understand that both 2 ideas may be connected.

@jmaxwellUSAF the ASA does not need a route to the anyconnect VPN pool as that network is local to the ASA. Only the other network devices need to know how to reach the anyconnect VPN pool network via the ASA, usually via the default route if the ASA is egress for the local network.

Provide your running configuration, else at minimum the output of your routing table.

Two ASA-5525 are in HA pair.

Two Nexus are standalone, connected with port channel between eachother, and have HSRP config

(10.2.222.1 is virtual HSRP ip for both Nexus)

10.2.222.2 is Vlan 888 interface on PRIMARY Nexus.

10.2.222.3 is Vlan 888 interface on SECONDARY Nexus.

--10.2.200.x is Anyconnect subnet --

Please let me know if below looks correctly configured. Thank you.

---

ASA-5525# sh route 10.2.200.0 255.255.255.0

Routing entry for 10.2.200.0 255.255.255.0
Known via "static", distance 1, metric 0
Redistributing via eigrp 1
Advertised by eigrp 1 metric 500000 1 255 1 1500
Routing Descriptor Blocks:
* 10.2.222.3, via Inside
Route metric is 0, traffic share count is 1
10.2.222.2, via Inside
Route metric is 0, traffic share count is 1
S 0.0.0.0 0.0.0.0 [255/0] via 10.2.222.1, Inside tunneled
===

ASA-5525# sh route

S 10.2.200.0 255.255.255.0 [1/0] via 10.2.222.3, Inside
[1/0] via 10.2.222.2, Inside
V 10.2.200.2 255.255.255.255 connected by VPN (advertised), Outside
V 10.2.200.3 255.255.255.255 connected by VPN (advertised), Outside
V 10.2.200.4 255.255.255.255 connected by VPN (advertised), Outside

@jmaxwellUSAF like I said remove the route from the ASA to 10.2.200.0/24 for the anyconnect VPN pool via the inside interface. That network exists on the ASA itself not on the inside network.

(If I don't do this correctly, all VPN users (a lot of workers) will be basically offline.)

So If i simply only remove...

S 10.2.200.0 255.255.255.0 [1/0] via 10.2.222.3, Inside

... the ASA will naturally then route traffic destined to 10.2.200.0 to the outside interface?

Is that it? Nothing else needs to be configured? 

The anyconnect active will appear as 

10.2.200.0/32 if there is no active anyconnect then this subnet will not appear in your RIB.

You have three active anyconnect show in your rib' make show vpn-sessiondb and check that.

@jmaxwellUSAF I appreciate it's your risk, if you are concerned make the change OOH in a change window.

The 10.2.200.0 exists on the ASA itself, connections from that anyconnect IP pool would normally be sent from the outside interface, hence my first comment indicating this as the potential problem.

Out of curiousity, are you redistributing the static route for 10.2.200.0 into a routing protocol? And using RRI?

"Out of curiousity, are you redistributing the static route for 10.2.200.0 into a routing protocol?"

YES. via EIGRP. 

The default gateway for the ASA is the next hop out of the external interface.

BUT

Our DMVPN router's default gateway DOES NOT cross the ASA, instead it goes directly to the ISP router.

So then, return traffic will have an asymmetric route. Will this cause issues?, such as ASA tcp syn/ack DDOS detection alerts, because the TCP syn/ack will never be detected outgoing on the incoming connections? Is there a best way to config this situation?

Please advise.

Sure there is redistrubte connect in asa will force eigrp redistrubte connect /32 anyconnect prefix appear in asa to all other network.

No need static for vpn pool in that case.