Solved: Route questions

emrinaldo · ‎04-17-2014

interface Vlan1

nameif inside
security-level 100
ip address 172.16.16.3 255.255.248.0

interface Vlan2
nameif outside
security-level 0
ip address 172.16.0.3 255.255.248.0

route outside 0.0.0.0 0.0.0.0 172.16.0.1 1
route inside 172.16.0.0 255.255.248.0 172.16.16.1 1
route inside 172.20.0.0 255.255.248.0 172.16.16.1 1
route inside 172.22.0.0 255.255.248.0 172.16.16.1 1

Wouldn't the following statement's mask: route inside 172.16.0.0 255.255.248.0 172.16.16.1 1 also be encapsulated in the route outside? So do we need the inside route necessarily? Or is it possibly just a backup route in case the outside int goes out?

Here is a sh route:

C 172.16.16.0 255.255.248.0 is directly connected, inside
C 172.16.0.0 255.255.248.0 is directly connected, outside
S 172.20.0.0 255.255.248.0 [1/0] via 172.16.16.1, inside
S 172.22.0.0 255.255.248.0 [1/0] via 172.16.16.1, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 172.16.0.1, outside

Robert Falconer · ‎04-17-2014

John is right, those routes don't really conflict. A route for 172.16.0.0 255.255.248 will never get installed because it's directly connected.

I doubt you have a problem with your VPN specifically. If you are getting missing SYN flags, you probably have asymmetric routing happening. The ASA will expect the typical 3-way handshake from the source and destination.

TCP bypass will help with this but you should probably look at fixing the asymmetry instead, unless asymmetry is what you're trying to do.

View solution in original post

Reza Sharifi · ‎04-17-2014

So do we need the inside route necessarily? Or is it possibly just a backup route in case the outside int goes out?

yes, you need the inside routes as well. The inside routes covers the specific routes you need to get to e.g 172.20.0.0 255.255.248.0 and 172.22.0.0 255.255.248.0

the outside route is needed to get to everything else.

HTH

emrinaldo · ‎04-17-2014

Hi Reza,

I understand I need the inside routes but this one seems odd to me.

route inside 172.16.0.0 255.255.248.0 172.16.16.1 1

Wouldn't this already be covered in the mask of the outside route?

Reza Sharifi · ‎04-17-2014

Hi,

Yes, it does, but specific routes take priority over default route.

so, when you try to get to 172.16.0.0/21 there is specific next hop in the routing table which is 172.16.16.1 for everything else to outside use default.

HTH

Robert Falconer · ‎04-17-2014

Emrinaldo,

A connected interface has the lowest administrative distance, preferred over a static route. That's why you'll always see them in the routing table, as long as the interface is connected.

172.16.0.0/21 is the subnet of your outside interface. It's always going to take preference over anything you try to do.

Why are you trying to route the outside subnet to an inside next-hop? That route will never get into the fib.

Jan brings up a good question, what are you trying to do?

Jan Rolny · ‎04-17-2014

Hi Emniraldo,

i am not sure if I understand your question but

172.16.0.0/21 is range 172.16.0.1 - 172.16.7.254

and

172.16.16.0/21 has range 172.16. 16.1 - 172.16.23.254

So you want to route outside subnet (172.16.0.0/21) to inside ?

Please clarify what you want to do.

Thanks,

Jan

emrinaldo · ‎04-17-2014

I'm just trying to figure out if there is an issue with our VPN. We are seeing quite a lot of ASA-6-106015 TCP Missing SYN Flag. A sr. engineer looked at my config and recommended the following:

The firewall has two conflicting routes:

1) route outside 0.0.0.0 0.0.0.0 172.16.0.1

2) route inside 172.16.0.0 255.255.248.0 172.16.16.1.

172.16.0.1(route to the world) is included in the 172.16.0.0 255.255.248.0 mask range and its routes to 172.16.16.1. I recommend removing the “route inside 172.16.0.0 255.255.248.0 172.16.16.1”.

Having worked with the ASA's for a couple years and being the paranoid person I am. I wanted a second opinion. My solution to the issue was to set up stateful TCP bypass which seems to be more inline with the problem I'm seeing.

Sorry for the confusion I should have started with that.

Jon Marshall · ‎04-17-2014

The firewall has two conflicting routes:

1) route outside 0.0.0.0 0.0.0.0 172.16.0.1

2) route inside 172.16.0.0 255.255.248.0 172.16.16.1.

these are not conflicting routes.

The issue is that the second route is not used because the firewall thinks that the entire range is connected to the outside interface.

Jon

Robert Falconer · ‎04-17-2014

John is right, those routes don't really conflict. A route for 172.16.0.0 255.255.248 will never get installed because it's directly connected.

I doubt you have a problem with your VPN specifically. If you are getting missing SYN flags, you probably have asymmetric routing happening. The ASA will expect the typical 3-way handshake from the source and destination.

TCP bypass will help with this but you should probably look at fixing the asymmetry instead, unless asymmetry is what you're trying to do.

emrinaldo · ‎04-17-2014

Thank you all for the clarification. No it's not. I don't have access to the upstream device its connected to unfortunately (or probably fortunately ) but that static route was the only thing that looked a bit strange to me. Thanks again.