cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
795
Views
0
Helpful
4
Replies

Wrong routing for VPN remote network

sidp
Level 1
Level 1

I have some routing problems with my Cisco ASA. IPsec VPN is up and running but my ASA sends all packets for the remote network back to the switch instead of into the ipsec vpn. IPsec session only shows Rx but zero Tx...

 

skizze.PNG

 

Switch routing:

 

S*    0.0.0.0/0 [1/0] via 10.0.1.254

 

 

ASA:

 

S* 0.0.0.0 0.0.0.0 [1/0] via <wan gateway>, WAN
S 10.0.0.0 255.0.0.0 [1/0] via 10.0.0.1, LAN
S 172.16.0.0 255.240.0.0 [1/0] via 10.0.0.1, LAN
S 192.168.0.0 255.255.0.0 [1/0] via 10.0.0.1, LAN

 

I don't have any problems with other different remote network vpn's.

 

As soon as I add the following route on the ASA the communication works:

 

S        192.168.111.0 255.255.255.0 [1/0] via 213.221.255.145, WAN

 

I know I'm routing the whole 192.168.0.0 network to the switch but longest prefix match...

Any idea why i have to add an additional route just for this network?

 

 

4 Replies 4

Hi,

This is to be expected. You need this specific route, because this traffic needs to be sent to the outside interface in order to matched to the crypto ACL, encrypted and then routed over the VPN.

 

What are the other networks you don’t need to define static routes for? Provide your configuration if necessary.

 

HTH

A working remote network which is configured exactly the same is 192.168.29.0/24.

Could it be that you have configured reverse-route-injection (RRI) for the other VPNs, but not for this one?

Reverse-route-injection isn't either configured for this or any other VPNs.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: