Routing issue when connected with Anyconnect

jl81 · ‎12-06-2017

Hi,

I have a question regarding routing when connected with Anyconnect.

Consider below diagram.

Static routes in ASA:

route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1
route DMZ 10.0.224.0 255.255.255.0 10.0.200.2 1
route INSIDE 0.0.0.0 0.0.0.0 10.0.10.2 tunneled

All other routes is learned with routing protocol.

A user connected through Anyconnect is unable to reach the 10.0.224.0/24 network. Everything else works fine.

However, if I add the following route to the routing table in the ASA, Anyconnect users is able to reach 10.0.224.0/24

route INSIDE 10.0.0.0 255.0.0.0 10.0.10.2 1

I don't understand why I need that last static route?

GioGonza · ‎12-12-2017

Hello @jl81,

I think you are hitting a Bug based on your comments, this is my reasoning:

1. The INSIDE tunneled route should send all the traffic to the INSIDE and for that reason the subnet 10.0.224.0/24 shouldn´t go through the DMZ.

2. But according to your example, you add "route INSIDE 10.0.0.0 255.0.0.0 10.0.10.2 1" and everything works with the subnet 10.0.224.0/24. It shouldn´t be since we still have the tunneled route and either way it is not working the route added is pointing to another hop instead of the DMZ.

3. The only way it should is that internally the routes are taken care and no matter if you come from the INSIDE or DMZ you could reach 10.0.224.0/24.

In theory you don´t need that route since is doing the same as the tunneled route and for that reason I think you are hitting a Bug, I was doing reasearch but I didn´t find anything about it.

Can you share part of your configuration in order to recreate this on a Lab?, also it will be helpful if you share the version you are working on.

HTH

Gio

jl81 · ‎12-12-2017

Hello,

appreciate your reply.

Unfortunately I'm not able to share the config.

I will also do some more research and add to the thread.

Version is 9.4(2)

and hardware is 5512-x