We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now


L2L vpn (ASA-ASA) needs outside route to work?

Medium Priority
Last Modified: 2012-05-11
I have a L2L vpn that is working in an environment. There was a seperate issue that I was troubleshooting when I found this. On the ASA there is a static route configured for the remote network to the default gateway. If this is removed the VPN stops working.

Now I am not an expert by any means, but in the past when I have created L2L vpn's I dont remember having to put in a static route to the outside. What is the reason that this has to be entered?
Watch Question

Your ASA has to have routing information about the other ASA:s public IP-address. That could be achieved with a default route or with a specific route to the other ASA:s public address pointing towards your internet provider.
If you use a default route you don't have to add any more route for the private network on the other side. But if you use a specific route to the other ASA. Then you also need a route to the private network on the other side.


this is unrelated to the public IP of the other ASA. the is already a route of to the public gateway.

Instead the route is like this

route outside <public gateway>

where is the remote network.
Was the static route part of the running configuration or did it only show up when viewing the route table?
If it was in the running config, this issue shouldn't happen, and it doesn't need to be there.
If it is only in the routing table, then this is normal. Running tunnels show up as static route entries, even thought they aren't actually static.


It is a static rote defined in the  running config. If I remove it, the VPN stops working.
Was the tunnel re-initialized after issuing the "no route" command? If not, try removing the static route entry, and issue this command:
clear crypto isakmp sa x.x.x.x
where x is the peer ip address
Traffic between the sites should pull the tunnel back up in no time.


I did reinitialize it, but I will try it again, in case I did it in the wrong order.
Unlock this solution and get a sample of our free trial.
(No credit card required)


Thanks, that was it. Feeling a little foolish that I didnt see that.

I didnt notice that there was an route with an 8 bits mask that was covering all of the subnets (local or remote) pointing to the inside.

I will change it to cover just the local subnets.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.