Route issues with Cisco ASA5505

I have a Cisco ASA 5505 with a pretty simple configuration.  It's got a single site-to-site vpn, default route out for internet traffic.  But I also have 5 static routes to direct certain subnets to another firewall on the inside network.

The problem is that the last 3 mornings, traffic to those 5 subnets has quit working.  It works again after restarting the ASA.  I wondered if the ASA was learning routes from another device on the network, but can't find any route-cache settings to change on the ASA.

What could cause this?
bunchageeksAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ffleismaSenior Network EngineerCommented:
It would be hard to say but a few things I would like to ask.

1. Are you running any dynamic routing protocol on the ASA?
2. On the VPN configuration, is reverse route injection configured?
3. During issue, if the ASA accessible via SSH? When accessed, what is the result of the tracert or show route, does it change from stable conditions?
4. During issue, are all interfaces up especially the interfaces connecting to the next-hop on the inside.
5. Are your static routes on the ASA directed to a Virtual IP (VIP) of a FHRP (HSRP,VRRP,GLBP) by any chance? During issue is the next-hop pingable from the firewall?
0
ffleismaSenior Network EngineerCommented:
also I forgot to ask, are you running redundant ASA actve-standby?
0
bunchageeksAuthor Commented:
Thanks.  I'll answer what I can:

1. no
2. no
3. yes.  Haven't done tracert, show route looks normal
4. yes
5. no, and yes
Active Standby?  no
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

ffleismaSenior Network EngineerCommented:
So a few things I would have suspected at first.

if on active-standby (which is not the case), the ASA switches over to the standby ASA but the link going from the firewall to the internal network is on a blocking state (STP).

ASA memory or CPU is overload, but very unlikely since you are able to access it.

The next-hop is not reachable, but like you said you where able to ping the next-hop. So next time issue occurs, it might be good troubleshooting to check the route via tracert to verify which part of the network you are not reaching.

When you say traffic to those 5 subnets, did you mean traffic incoming from VPN towards those 5 internal subnets? It might not be a routing issue but rather VPN tunnel is down. You can check via show command "show isakmp sa"

If the VPN tunnel is down, it might be a mismatch on the VPN configuration between the sites. You can restart the VPN tunnel and not reboot the ASA via "clear ipsec sa peer x.x.x.x"

Sorry I couldn't be more specific, but those are the few things I'd check when issue arise again.

Hope this helps.
0
bunchageeksAuthor Commented:
Thanks.  

This morning I was set for troubleshooting but so far, the issue hasn't come up.  

Yesterday I only had a couple of minutes to look at the issue.  Then I had to reboot to fix it and leave for an appt.  All I found yesterday was that from the ASA, the routing table was correct, and I could ping an IP on the subnet that was supposedly down.  I didn't get a chance to try traceroutes, etc.  Hopefully if this happens again, I'll have more time to dig in and troubleshoot.
0
bunchageeksAuthor Commented:
Well, this hasn't happened again and it's been 2 weeks.  I wasn't able to find an issue with the ASA.  I am going to assume it was a problem with the part of the network I don't administer.  Thanks for the suggestions and help.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bunchageeksAuthor Commented:
I am only including my own comment as partial solution because it appears the problem wasn't with this ASA after all.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
TCP/IP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.