Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

L2L vpn (ASA-ASA) needs outside route to work?

Posted on 2011-04-25
8
Medium Priority
?
534 Views
Last Modified: 2012-05-11
I have a L2L vpn that is working in an environment. There was a seperate issue that I was troubleshooting when I found this. On the ASA there is a static route configured for the remote network to the default gateway. If this is removed the VPN stops working.

Now I am not an expert by any means, but in the past when I have created L2L vpn's I dont remember having to put in a static route to the outside. What is the reason that this has to be entered?
0
Comment
Question by:ryan80
  • 4
  • 2
  • 2
8 Comments
 
LVL 5

Expert Comment

by:torvir
ID: 35462114
Your ASA has to have routing information about the other ASA:s public IP-address. That could be achieved with a default route or with a specific route to the other ASA:s public address pointing towards your internet provider.
If you use a default route you don't have to add any more route for the private network on the other side. But if you use a specific route to the other ASA. Then you also need a route to the private network on the other side.
0
 
LVL 12

Author Comment

by:ryan80
ID: 35462142
this is unrelated to the public IP of the other ASA. the is already a route of 0.0.0.0 to the public gateway.

Instead the route is like this

route outside 192.168.1.0 255.255.255.0 <public gateway>

where 192.168.1.0 is the remote network.
0
 
LVL 7

Expert Comment

by:kellemann
ID: 35466045
Was the static route part of the running configuration or did it only show up when viewing the route table?
If it was in the running config, this issue shouldn't happen, and it doesn't need to be there.
If it is only in the routing table, then this is normal. Running tunnels show up as static route entries, even thought they aren't actually static.
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

 
LVL 12

Author Comment

by:ryan80
ID: 35466216
It is a static rote defined in the  running config. If I remove it, the VPN stops working.
0
 
LVL 7

Expert Comment

by:kellemann
ID: 35466285
Was the tunnel re-initialized after issuing the "no route" command? If not, try removing the static route entry, and issue this command:
clear crypto isakmp sa x.x.x.x
where x is the peer ip address
Traffic between the sites should pull the tunnel back up in no time.
0
 
LVL 12

Author Comment

by:ryan80
ID: 35466412
I did reinitialize it, but I will try it again, in case I did it in the wrong order.
0
 
LVL 5

Accepted Solution

by:
torvir earned 2000 total points
ID: 35468062
Hi again,
I just tried to figure out if you had a configuration where the route really is needed. If you have a default route to your provider you shouldn't normally need it. I have to ask strange questions because I don't see your configuration.
Here is another strange question.
Do you have routes to the inside that includes network 192.168.1.0 255.255.255.0 ?
Example. If you route 192.168.0.0 255.255.0.0 to the inside you have to have an explicit route to the outside describing 192.168.1.0 255.255.255.0
Could that be the case?
0
 
LVL 12

Author Closing Comment

by:ryan80
ID: 35475223
Thanks, that was it. Feeling a little foolish that I didnt see that.

I didnt notice that there was an route with an 8 bits mask that was covering all of the subnets (local or remote) pointing to the inside.

I will change it to cover just the local subnets.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question