I have a basic conceptual question. If an ASA is using dynamic routing (OSPF), has multiple physical paths to the Internet (for redundancy), and a l2l VPN tunnel established to another site, does it look to the routing table prior to encrypting the packet, or the other way around?
Please see the attached diagram for an illustration of the following description.
Let's say that the ASA is running OSPF between its outside interface and the two external routers. Under normal circumstances the ASA may receive a route for 126.96.36.199/32 through router2, and simultaneously be receiving a route for 10.2.2.0/24 via router1. However, depending upon what is going on in the network it may receive these routes from the alternate router.
Is the ASA's local routing table having an entry for 10.2.2.0/24 a factor, or is only the route for the tunnel endpoint relevant? My understanding is that it was not, but we have experienced symptoms that would contradict this.
Thanks in advance.
P.S. We are NOT using the 'tunneled' keyword for any static routes local to the ASA. Only traditional routing concepts should apply.