L2L vpn (ASA-ASA) needs outside route to work?

I have a L2L vpn that is working in an environment. There was a seperate issue that I was troubleshooting when I found this. On the ASA there is a static route configured for the remote network to the default gateway. If this is removed the VPN stops working.

Now I am not an expert by any means, but in the past when I have created L2L vpn's I dont remember having to put in a static route to the outside. What is the reason that this has to be entered?
LVL 12
ryan80Asked:
Who is Participating?
 
torvirConnect With a Mentor Commented:
Hi again,
I just tried to figure out if you had a configuration where the route really is needed. If you have a default route to your provider you shouldn't normally need it. I have to ask strange questions because I don't see your configuration.
Here is another strange question.
Do you have routes to the inside that includes network 192.168.1.0 255.255.255.0 ?
Example. If you route 192.168.0.0 255.255.0.0 to the inside you have to have an explicit route to the outside describing 192.168.1.0 255.255.255.0
Could that be the case?
0
 
torvirCommented:
Your ASA has to have routing information about the other ASA:s public IP-address. That could be achieved with a default route or with a specific route to the other ASA:s public address pointing towards your internet provider.
If you use a default route you don't have to add any more route for the private network on the other side. But if you use a specific route to the other ASA. Then you also need a route to the private network on the other side.
0
 
ryan80Author Commented:
this is unrelated to the public IP of the other ASA. the is already a route of 0.0.0.0 to the public gateway.

Instead the route is like this

route outside 192.168.1.0 255.255.255.0 <public gateway>

where 192.168.1.0 is the remote network.
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
kellemannCommented:
Was the static route part of the running configuration or did it only show up when viewing the route table?
If it was in the running config, this issue shouldn't happen, and it doesn't need to be there.
If it is only in the routing table, then this is normal. Running tunnels show up as static route entries, even thought they aren't actually static.
0
 
ryan80Author Commented:
It is a static rote defined in the  running config. If I remove it, the VPN stops working.
0
 
kellemannCommented:
Was the tunnel re-initialized after issuing the "no route" command? If not, try removing the static route entry, and issue this command:
clear crypto isakmp sa x.x.x.x
where x is the peer ip address
Traffic between the sites should pull the tunnel back up in no time.
0
 
ryan80Author Commented:
I did reinitialize it, but I will try it again, in case I did it in the wrong order.
0
 
ryan80Author Commented:
Thanks, that was it. Feeling a little foolish that I didnt see that.

I didnt notice that there was an route with an 8 bits mask that was covering all of the subnets (local or remote) pointing to the inside.

I will change it to cover just the local subnets.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.