Hi All,

I have found the issue about routing entry of remote vpn session on ASA 5516.

Below is a routing entry that it is stuck in routing table.

I checked the vpn-sessiondb and didn't see it up.

It happens sometimes with some assigned IPs not all.

Even clearing vpn session it is still there. And ASA has OSPF running, this routing entry is active to other OSPF neighbor.

V 10.225.20.250 255.255.255.255
connected by VPN (advertised), outside

#sh vpn-sessiondb ra-ikev1-ipsec filter a-ipaddress 10.225.20.250
INFO: There are presently no active sessions of the type specified

###########################################################

And here is the configuration of the remote vpn.

ip local pool CLIENT_POOL 10.225.20.1-10.225.20.254 mask 255.255.255.0

access-list VPN_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

group-policy VPN internal
group-policy VPN attributes
wins-server value 
dns-server value 
vpn-simultaneous-logins 1
vpn-session-timeout 1440
vpn-tunnel-protocol ikev1
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_splitTunnelAcl
client-firewall none

crypto ikev1 enable outside-sym
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2 lifetime 86400

tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool CLIENT_POOLsh run
authentication-server-group RADIUS
accounting-server-group RADIUS
default-group-policy VPN
tunnel-group VPN ipsec-attributes
ikev1 pre-shared-key
isakmp keepalive threshold 10 retry 2

crypto ipsec ikev1 transform-set AES256-SHA esp-aes-256 esp-sha-hmac

crypto dynamic-map outside-cslox_dynmap 1 set pfs group1
crypto dynamic-map outside-cslox_dynmap 1 set ikev1 transform-set AES256-SHA
crypto dynamic-map outside-cslox_dynmap 1 set reverse-route

crypto map CMAP 65535 ipsec-isakmp dynamic outside-dynmap
crypto map CMAP interface outside

Thank you.