Wrong routing for VPN remote network

sidp · ‎07-29-2020

I have some routing problems with my Cisco ASA. IPsec VPN is up and running but my ASA sends all packets for the remote network back to the switch instead of into the ipsec vpn. IPsec session only shows Rx but zero Tx...

Switch routing:

S*    0.0.0.0/0 [1/0] via 10.0.1.254

ASA:

S* 0.0.0.0 0.0.0.0 [1/0] via <wan gateway>, WAN
S 10.0.0.0 255.0.0.0 [1/0] via 10.0.0.1, LAN
S 172.16.0.0 255.240.0.0 [1/0] via 10.0.0.1, LAN
S 192.168.0.0 255.255.0.0 [1/0] via 10.0.0.1, LAN

I don't have any problems with other different remote network vpn's.

As soon as I add the following route on the ASA the communication works:

S        192.168.111.0 255.255.255.0 [1/0] via 213.221.255.145, WAN

I know I'm routing the whole 192.168.0.0 network to the switch but longest prefix match...

Any idea why i have to add an additional route just for this network?

Rob Ingram · ‎07-29-2020

Hi,

This is to be expected. You need this specific route, because this traffic needs to be sent to the outside interface in order to matched to the crypto ACL, encrypted and then routed over the VPN.

What are the other networks you don’t need to define static routes for? Provide your configuration if necessary.

HTH

sidp · ‎07-30-2020

A working remote network which is configured exactly the same is 192.168.29.0/24.

Karsten Iwen · ‎07-29-2020

Could it be that you have configured reverse-route-injection (RRI) for the other VPNs, but not for this one?

sidp · ‎07-30-2020

Reverse-route-injection isn't either configured for this or any other VPNs.