Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
492
Views
0
Helpful
1
Replies

Interesting ASA problem -- duplicate IP & IPsec VPN remote access

oldcreek12
Level 1
Level 1

‎10-05-2007 09:27 PM - edited ‎03-11-2019 04:21 AM

I am running 8.0(2), look at the following output from ASA:

ASA5500#sh interface gi0/0

Interface GigabitEthernet0/0 "Outside", is up, line protocol is up

Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

MAC address 0018.b91b.55b6, MTU 1500

IP address 205.3.164.1, subnet mask 255.255.255.224

3421353595 packets input, 1734453023897 bytes, 10860859 no buffer

Received 276528 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 6484383 overrun, 0 ignored, 0 abort

0 L2 decode drops

1394329286 packets output, 279509809309 bytes, 0 underruns

0 output errors, 0 collisions, 3 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

input queue (curr/max packets): hardware (1/33) software (0/0)

output queue (curr/max packets): hardware (0/95) software (0/0)

Traffic Statistics for "Outside":

3421137849 packets input, 1646043223864 bytes

1394329411 packets output, 250264599199 bytes

86153516 packets dropped

1 minute input rate 3032 pkts/sec, 4145066 bytes/sec

1 minute output rate 1579 pkts/sec, 85978 bytes/sec

1 minute drop rate, 12 pkts/sec

5 minute input rate 627 pkts/sec, 725869 bytes/sec

5 minute output rate 389 pkts/sec, 41285 bytes/sec

5 minute drop rate, 11 pkts/sec

ASA5500# sh route

<irrelevant routes snipped>

O E2 205.3.164.1 255.255.255.255 [110/20] via 10.31.64.129, 0:40:47, Inside

<snipped>

So I have 205.3.164.1/27 as Outside interface IP address, and 205.3.164.1/32 is also learned from Internal network. Obviously this is a configuration mistake, no question about that.

Now here is my question: I happened to have this IP address for IPsec VPN remote access, when connection request comes in to this IP address, shouldn't ASA process it? in reality, it does not, but I want to understand what ASA is doing. If this is a router, CEF adjacency for this IP address would be receive, and this router would be able to process incoming request correctly. How would ASA behave differently?

Labels:
0 Helpful
1 Reply 1

amritpatek
Level 6
Level 6

‎10-11-2007 01:41 PM

The ASA is learning the route for 205.3.264.1 from two different sources, this is different from having a vpn connection request. So the ASA is not taking this as a vpn request but just like a route which is learned from a neighbour.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card