ASA 5510 - no route problem

Unanswered Question
Mar 20th, 2010

I have the following network

Newmarket LAN 200.0.0.0/24 - inside network connected to interface "inside"

Connection to ISP 1 - 217.37.175.6 - interface "outside"

connection to ISP 2 - 88.96.81.97 - interface "backup"

I am trying to build a VPN tunnel using the "backup" interface - to 217.37.180.46 - but..

If you look at the debud logs it fails "no route to 217.37.180.46 from 88.96.81.97

I think what I need to do is to tell the backup interface to route traffic from "backup" for 217.37.180.46 via "outside" (the defaout route) but cannot figure this out.

This is the routing table from the show route

Result of the command: "show route"

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 217.37.175.1 to network 0.0.0.0

C    217.37.175.0 255.255.255.248 is directly connected, outside
S    Bury_LAN 255.255.255.0 [1/0] via 217.37.175.1, outside
C    Newmarket_LAN 255.255.255.0 is directly connected, inside
C    88.96.81.96 255.255.255.248 is directly connected, backup
S    88.96.85.168 255.255.255.248 [1/0] via 88.96.81.98, backup
S*   0.0.0.0 0.0.0.0 [1/0] via 217.37.175.1, outside

I attach my config and debig is below

2010-03-20 20:28:04    Local4.Debug    200.0.0.100    %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0

2010-03-20 20:28:04    Local4.Notice    200.0.0.100    %ASA-5-713041: IP = 217.37.180.46, IKE Initiator: New Phase 1, Intf backup, IKE Peer 217.37.180.46  local Proxy Address 88.96.81.97, remote Proxy Address 217.37.180.46,  Crypto map (backup_map)

2010-03-20 20:28:04    Local4.Debug    200.0.0.100    %ASA-7-715046: IP = 217.37.180.46, constructing ISAKMP SA payload

2010-03-20 20:28:04    Local4.Debug    200.0.0.100    %ASA-7-715046: IP = 217.37.180.46, constructing NAT-Traversal VID ver 02 payload

2010-03-20 20:28:04    Local4.Debug    200.0.0.100    %ASA-7-715046: IP = 217.37.180.46, constructing NAT-Traversal VID ver 03 payload

2010-03-20 20:28:04    Local4.Debug    200.0.0.100    %ASA-7-715046: IP = 217.37.180.46, constructing Fragmentation VID + extended capabilities payload

2010-03-20 20:28:04    Local4.Debug    200.0.0.100    %ASA-7-713236: IP = 217.37.180.46, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 148

2010-03-20 20:28:04    Local4.Info    200.0.0.100    %ASA-6-110001: No route to 217.37.180.46 from 88.96.81.97

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Sat, 03/20/2010 - 17:40

If you would like to use the backup interface as the VPN termination for your LAN-to-LAN tunnel, here is the routes that you need to add:

route backup 217.37.180.46 255.255.255.255 88.96.81.98

route backup 88.96.85.169 255.255.255.255 88.96.81.98

route backup 210.0.0.0 255.255.255.0 88.96.81.98

Hope that helps.

mawallace Sun, 03/21/2010 - 14:59

So my issue is that all traffic for 217.37.180.46 is routed via the outside interface due to default route - and if I want to have a VPN terminating on the backup interface I have to route traffic for 217.37.180.46 etc via the backup interface. Is that correct?

Is there no way for me to tell the ASA that, while it uses the backup interrface to  terminate the VPN that it has to reach 217.37.180.46 through the outside interface netwrok?

Jennifer Halim Sun, 03/21/2010 - 16:08

You are right. There is no way to use a different interface other than the directly routed interface for VPN termination on ASA. Unline a router where you can use loopback interface for example.

So the following scenario is not supported:

- Backup interface as the VPN termination, but the actual VPN traffic comes from the Outside interface due to it being the default gateway.

Actions

This Discussion