Interesting ASA problem -- duplicate IP & IPsec VPN remote access

Unanswered Question
Oct 5th, 2007

I am running 8.0(2), look at the following output from ASA:

ASA5500#sh interface gi0/0

Interface GigabitEthernet0/0 "Outside", is up, line protocol is up

Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

MAC address 0018.b91b.55b6, MTU 1500

IP address, subnet mask

3421353595 packets input, 1734453023897 bytes, 10860859 no buffer

Received 276528 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 6484383 overrun, 0 ignored, 0 abort

0 L2 decode drops

1394329286 packets output, 279509809309 bytes, 0 underruns

0 output errors, 0 collisions, 3 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

input queue (curr/max packets): hardware (1/33) software (0/0)

output queue (curr/max packets): hardware (0/95) software (0/0)

Traffic Statistics for "Outside":

3421137849 packets input, 1646043223864 bytes

1394329411 packets output, 250264599199 bytes

86153516 packets dropped

1 minute input rate 3032 pkts/sec, 4145066 bytes/sec

1 minute output rate 1579 pkts/sec, 85978 bytes/sec

1 minute drop rate, 12 pkts/sec

5 minute input rate 627 pkts/sec, 725869 bytes/sec

5 minute output rate 389 pkts/sec, 41285 bytes/sec

5 minute drop rate, 11 pkts/sec

ASA5500# sh route

<irrelevant routes snipped>

O E2 [110/20] via, 0:40:47, Inside


So I have as Outside interface IP address, and is also learned from Internal network. Obviously this is a configuration mistake, no question about that.

Now here is my question: I happened to have this IP address for IPsec VPN remote access, when connection request comes in to this IP address, shouldn't ASA process it? in reality, it does not, but I want to understand what ASA is doing. If this is a router, CEF adjacency for this IP address would be receive, and this router would be able to process incoming request correctly. How would ASA behave differently?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
amritpatek Thu, 10/11/2007 - 13:41

The ASA is learning the route for from two different sources, this is different from having a vpn connection request. So the ASA is not taking this as a vpn request but just like a route which is learned from a neighbour.


This Discussion