×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Route questions

Answered Question
Apr 17th, 2014
User Badges:

interface Vlan1

 nameif inside
 security-level 100
 ip address 172.16.16.3 255.255.248.0

interface Vlan2
 nameif outside
 security-level 0
 ip address 172.16.0.3 255.255.248.0

 

route outside 0.0.0.0 0.0.0.0 172.16.0.1 1
route inside 172.16.0.0 255.255.248.0 172.16.16.1 1
route inside 172.20.0.0 255.255.248.0 172.16.16.1 1
route inside 172.22.0.0 255.255.248.0 172.16.16.1 1

 

Wouldn't the following statement's mask: route inside 172.16.0.0 255.255.248.0 172.16.16.1 1 also be encapsulated in the route outside?  So do we need the inside route necessarily?  Or is it possibly just a backup route in case the outside int goes out?  

 

Here is a sh route:

 

C    172.16.16.0 255.255.248.0 is directly connected, inside
C    172.16.0.0 255.255.248.0 is directly connected, outside
S    172.20.0.0 255.255.248.0 [1/0] via 172.16.16.1, inside
S    172.22.0.0 255.255.248.0 [1/0] via 172.16.16.1, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 172.16.0.1, outside

Correct Answer by Robert Falconer about 3 years 4 months ago

John is right, those routes don't really conflict. A route for 172.16.0.0 255.255.248 will never get installed because it's directly connected.

I doubt you have a problem with your VPN specifically. If you are getting missing SYN flags, you probably have asymmetric routing happening. The ASA will expect the typical 3-way handshake from the source and destination.

TCP bypass will help with this but you should probably look at fixing the asymmetry instead, unless asymmetry is what you're trying to do.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Reza Sharifi Thu, 04/17/2014 - 10:22
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 LAN

So do we need the inside route necessarily?  Or is it possibly just a backup route in case the outside int goes out?  

yes, you need the inside routes as well.  The inside routes covers the specific routes you need to get to e.g 172.20.0.0 255.255.248.0 and 172.22.0.0 255.255.248.0

the outside route is needed to get to everything else.

HTH

emrinaldo Thu, 04/17/2014 - 10:29
User Badges:

Hi Reza,

I understand I need the inside routes but this one seems odd to me.

route inside 172.16.0.0 255.255.248.0 172.16.16.1 1

Wouldn't this already be covered in the mask of the outside route?

Reza Sharifi Thu, 04/17/2014 - 10:37
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 LAN

Hi,

Yes, it does, but specific routes take priority over default route.

so, when you try to get to 172.16.0.0/21 there is specific next hop in the routing table which is 172.16.16.1  for everything else to outside use default.

HTH
 

Robert Falconer Thu, 04/17/2014 - 10:54
User Badges:

Emrinaldo,

A connected interface has the lowest administrative distance, preferred over a static route. That's why you'll always see them in the routing table, as long as the interface is connected.

172.16.0.0/21 is the subnet of your outside interface. It's always going to take preference over anything you try to do.

Why are you trying to route the outside subnet to an inside next-hop? That route will never get into the fib.

Jan brings up a good question, what are you trying to do?

Jan Rolny Thu, 04/17/2014 - 10:43
User Badges:
  • Bronze, 100 points or more

Hi Emniraldo,

i am not sure if I understand your question but

172.16.0.0/21 is range 172.16.0.1 - 172.16.7.254

and

172.16.16.0/21 has range 172.16. 16.1 - 172.16.23.254

So you want to route outside subnet (172.16.0.0/21) to inside ?

Please clarify what you want to do.

 

Thanks,

Jan

 

emrinaldo Thu, 04/17/2014 - 11:00
User Badges:

I'm just trying to figure out if there is an issue with our VPN.  We are seeing quite a lot of ASA-6-106015 TCP Missing SYN Flag.  A sr. engineer looked at my config and recommended the following:

The firewall has two conflicting routes:   

1) route outside 0.0.0.0 0.0.0.0 172.16.0.1  

2) route inside 172.16.0.0 255.255.248.0 172.16.16.1.

172.16.0.1(route to the world) is included in the  172.16.0.0 255.255.248.0 mask range and its routes to 172.16.16.1. I recommend removing the “route inside 172.16.0.0 255.255.248.0 172.16.16.1”. 

 

Having worked with the ASA's for a couple years and being the paranoid person I am.  I wanted a second opinion.  My solution to the issue was to set up stateful TCP bypass which seems to be more inline with the problem I'm seeing.  

 

Sorry for the confusion I should have started with that.

Jon Marshall Thu, 04/17/2014 - 11:03
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

The firewall has two conflicting routes:   

1) route outside 0.0.0.0 0.0.0.0 172.16.0.1  

2) route inside 172.16.0.0 255.255.248.0 172.16.16.1.

these are not conflicting routes.

The issue is that the second route is not used because the firewall thinks that the entire range is connected to the outside interface.

Jon

Correct Answer
Robert Falconer Thu, 04/17/2014 - 11:10
User Badges:

John is right, those routes don't really conflict. A route for 172.16.0.0 255.255.248 will never get installed because it's directly connected.

I doubt you have a problem with your VPN specifically. If you are getting missing SYN flags, you probably have asymmetric routing happening. The ASA will expect the typical 3-way handshake from the source and destination.

TCP bypass will help with this but you should probably look at fixing the asymmetry instead, unless asymmetry is what you're trying to do.

emrinaldo Thu, 04/17/2014 - 11:18
User Badges:

Thank you all for the clarification.  No it's not.  I don't have access to the upstream device its connected to unfortunately (or probably fortunately smiley)  but that static route was the only thing that looked a bit strange to me.  Thanks again.

Actions

This Discussion