I'm using an ASA5520 (version 7.2(3)) with RemoteAccess VPN. Client routes are installed in the routing table with Reverse Route Injection and the redistributed with OSPF. A summary route is used to advertise all clients' IP addresses. This prevents changes to the routing tables whenever client log in or out.
RA VPN clients receive their IP addresses from a DHCP server. However, when there are no more VPN connections, the summary route is also dropped. The internal network does not have a route back to the firewall for the DHCP servers' replies. The VPN connection is denied because the firewall cannot assign an IP address to the client.
In short, is it possible to force the firewall to advertise the summary route?
I would prefer not to use a local IP pool.