Route issues with Cisco ASA5505

Posted on 2014-08-20
Medium Priority
Last Modified: 2014-09-10
I have a Cisco ASA 5505 with a pretty simple configuration.  It's got a single site-to-site vpn, default route out for internet traffic.  But I also have 5 static routes to direct certain subnets to another firewall on the inside network.

The problem is that the last 3 mornings, traffic to those 5 subnets has quit working.  It works again after restarting the ASA.  I wondered if the ASA was learning routes from another device on the network, but can't find any route-cache settings to change on the ASA.

What could cause this?
Question by:bunchageeks
  • 4
  • 3

Expert Comment

ID: 40273811
It would be hard to say but a few things I would like to ask.

1. Are you running any dynamic routing protocol on the ASA?
2. On the VPN configuration, is reverse route injection configured?
3. During issue, if the ASA accessible via SSH? When accessed, what is the result of the tracert or show route, does it change from stable conditions?
4. During issue, are all interfaces up especially the interfaces connecting to the next-hop on the inside.
5. Are your static routes on the ASA directed to a Virtual IP (VIP) of a FHRP (HSRP,VRRP,GLBP) by any chance? During issue is the next-hop pingable from the firewall?

Expert Comment

ID: 40274030
also I forgot to ask, are you running redundant ASA actve-standby?

Author Comment

ID: 40274259
Thanks.  I'll answer what I can:

1. no
2. no
3. yes.  Haven't done tracert, show route looks normal
4. yes
5. no, and yes
Active Standby?  no
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.


Assisted Solution

ffleisma earned 300 total points
ID: 40278155
So a few things I would have suspected at first.

if on active-standby (which is not the case), the ASA switches over to the standby ASA but the link going from the firewall to the internal network is on a blocking state (STP).

ASA memory or CPU is overload, but very unlikely since you are able to access it.

The next-hop is not reachable, but like you said you where able to ping the next-hop. So next time issue occurs, it might be good troubleshooting to check the route via tracert to verify which part of the network you are not reaching.

When you say traffic to those 5 subnets, did you mean traffic incoming from VPN towards those 5 internal subnets? It might not be a routing issue but rather VPN tunnel is down. You can check via show command "show isakmp sa"

If the VPN tunnel is down, it might be a mismatch on the VPN configuration between the sites. You can restart the VPN tunnel and not reboot the ASA via "clear ipsec sa peer x.x.x.x"

Sorry I couldn't be more specific, but those are the few things I'd check when issue arise again.

Hope this helps.

Author Comment

ID: 40278842

This morning I was set for troubleshooting but so far, the issue hasn't come up.  

Yesterday I only had a couple of minutes to look at the issue.  Then I had to reboot to fix it and leave for an appt.  All I found yesterday was that from the ASA, the routing table was correct, and I could ping an IP on the subnet that was supposedly down.  I didn't get a chance to try traceroutes, etc.  Hopefully if this happens again, I'll have more time to dig in and troubleshoot.

Accepted Solution

bunchageeks earned 0 total points
ID: 40306360
Well, this hasn't happened again and it's been 2 weeks.  I wasn't able to find an issue with the ASA.  I am going to assume it was a problem with the part of the network I don't administer.  Thanks for the suggestions and help.

Author Closing Comment

ID: 40313986
I am only including my own comment as partial solution because it appears the problem wasn't with this ASA after all.

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question