Confrim Config Please

Unanswered Question
Sep 29th, 2009


We had a hell of a time deploying our Clean Access Server in as a Virtual Gateway in a central deployment. We were deploying the device for VPN users to do assessment of thier machines. So far all is working alright. We had to change the original design becuase of the hardware limitations of the 3550 we have in our DMZ. You cant have one machine with two identical IPs in two different SVIs. It doesnt support it, so we had to bring the CAS into the core where that is supported on the right IOS. The VPN clients only need to get to the Terminal Server farm in this diagram:

http:[email protected]/3965998380/sizes/o/

So after a call in with TAC we got it working but it took some effort. Now I am reviewing the config and trying to document every important part of it. Then my boss asks me about the line:

route NAC_homeagents_vlan702 2

He says it does make sense and asks me to get rid of it. I do and all connections for the VPN users are dropped. He says it looks like a loop to him, and I am not too sure if he is right.

The idea here is the VPN traffic should be IN-band with the CAS. I also will admit that TAC told me I needed this but I am not able to explain why it is there.

Thanks for any input that could clarify this for me,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
xcz504d1114 Tue, 09/29/2009 - 08:12

I couldn't view your diagram, it is blocked by my web filter here at the office.

What is the object listed? In your configuration (usually towards the top) you will see where you defined "NAC_homeagents_vlan702"

I'm sure there are more answers in your diagram, I just couldn't view it.

A single route statement doesn't tell me much though.


pener1963 Tue, 09/29/2009 - 08:18


Thanks for trying to have a look. Yeah the diagram has the config files right there so there would be no way you could help me without seeing it. If you want I can send you the diagram directly.



xcz504d1114 Tue, 09/29/2009 - 08:52

With the information you provided in your diagram, I don't see a loop. All that statement is saying, is that anything that the ASA doesn't know about, send to your SVI on the 4507, I don't see a default route on the 4507 pointing back to the ASA. If there is a default route pointing back to the ASA, then yes that could cause a loop.

The output of a "show route" on the ASA and a "show ip route" on the 4507 would confirm that.



pener1963 Tue, 09/29/2009 - 11:10

OK Craig thanks for looking at that. My next question would be is there a better wat to do this? As you can see the route has an AD of 2 because I suppose the real default route sends traffic somewhere else.

I mean when the route is not there the vpn users are dead in the water, and I dont get why.

xcz504d1114 Tue, 09/29/2009 - 11:18

Is there another default route on teh ASA? If so, and it has an administrative distance of 1, then the default route with an AD of 2, will never actually get used...

A "better way" is very subjective, that depends on a lot of factors, if it is working the way you intend it to, do you really want to go about changing it? Changing for the sake of changing something can lead to undesireable results sometimes, I would suggest leaving it until you find a reason to change it.


pener1963 Tue, 09/29/2009 - 11:33

OK on the ASA I have this among other routes:

S* [1/0] via, outside_perimetermanaged_vlan30

I assume this is the default route of the ASA. Its strange when I do a show route the route we have been talking about does not appear.

???? Confused ?????


xcz504d1114 Tue, 09/29/2009 - 11:47

Yeah, the static rout with an AD of 2 will never get placed in your routing table, removing it should not break anything.

Can you post the full config for the ASA (excluding sensitive data of course)? That might help me understand what that route is for, and why it matters.


pener1963 Fri, 10/02/2009 - 08:05

Here is the other route in the ASA. The whole config is huge, so I cant put it all here. Like I said when I take out the route for the NAC homeagents thier connections die on the spot, and I dont know why if what you say is true i.e. the route should never be used if it has a AD of 2.

route outside_perimetermanaged_vlan30 1

route NAC_homeagents_vlan702 2


This Discussion