04-17-2014 08:51 AM - edited 03-07-2019 07:08 PM
interface Vlan1
nameif inside
security-level 100
ip address 172.16.16.3 255.255.248.0
interface Vlan2
nameif outside
security-level 0
ip address 172.16.0.3 255.255.248.0
route outside 0.0.0.0 0.0.0.0 172.16.0.1 1
route inside 172.16.0.0 255.255.248.0 172.16.16.1 1
route inside 172.20.0.0 255.255.248.0 172.16.16.1 1
route inside 172.22.0.0 255.255.248.0 172.16.16.1 1
Wouldn't the following statement's mask: route inside 172.16.0.0 255.255.248.0 172.16.16.1 1 also be encapsulated in the route outside? So do we need the inside route necessarily? Or is it possibly just a backup route in case the outside int goes out?
Here is a sh route:
C 172.16.16.0 255.255.248.0 is directly connected, inside
C 172.16.0.0 255.255.248.0 is directly connected, outside
S 172.20.0.0 255.255.248.0 [1/0] via 172.16.16.1, inside
S 172.22.0.0 255.255.248.0 [1/0] via 172.16.16.1, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 172.16.0.1, outside
Solved! Go to Solution.
04-17-2014 11:10 AM
John is right, those routes don't really conflict. A route for 172.16.0.0 255.255.248 will never get installed because it's directly connected.
I doubt you have a problem with your VPN specifically. If you are getting missing SYN flags, you probably have asymmetric routing happening. The ASA will expect the typical 3-way handshake from the source and destination.
TCP bypass will help with this but you should probably look at fixing the asymmetry instead, unless asymmetry is what you're trying to do.
04-17-2014 10:22 AM
So do we need the inside route necessarily? Or is it possibly just a backup route in case the outside int goes out?
yes, you need the inside routes as well. The inside routes covers the specific routes you need to get to e.g 172.20.0.0 255.255.248.0 and 172.22.0.0 255.255.248.0
the outside route is needed to get to everything else.
HTH
04-17-2014 10:29 AM
Hi Reza,
I understand I need the inside routes but this one seems odd to me.
route inside 172.16.0.0 255.255.248.0 172.16.16.1 1
Wouldn't this already be covered in the mask of the outside route?
04-17-2014 10:37 AM
Hi,
Yes, it does, but specific routes take priority over default route.
so, when you try to get to 172.16.0.0/21 there is specific next hop in the routing table which is 172.16.16.1 for everything else to outside use default.
HTH
04-17-2014 10:54 AM
Emrinaldo,
A connected interface has the lowest administrative distance, preferred over a static route. That's why you'll always see them in the routing table, as long as the interface is connected.
172.16.0.0/21 is the subnet of your outside interface. It's always going to take preference over anything you try to do.
Why are you trying to route the outside subnet to an inside next-hop? That route will never get into the fib.
Jan brings up a good question, what are you trying to do?
04-17-2014 10:43 AM
Hi Emniraldo,
i am not sure if I understand your question but
172.16.0.0/21 is range 172.16.0.1 - 172.16.7.254
and
172.16.16.0/21 has range 172.16. 16.1 - 172.16.23.254
So you want to route outside subnet (172.16.0.0/21) to inside ?
Please clarify what you want to do.
Thanks,
Jan
04-17-2014 11:00 AM
I'm just trying to figure out if there is an issue with our VPN. We are seeing quite a lot of ASA-6-106015 TCP Missing SYN Flag. A sr. engineer looked at my config and recommended the following:
The firewall has two conflicting routes:
1) route outside 0.0.0.0 0.0.0.0 172.16.0.1
2) route inside 172.16.0.0 255.255.248.0 172.16.16.1.
172.16.0.1(route to the world) is included in the 172.16.0.0 255.255.248.0 mask range and its routes to 172.16.16.1. I recommend removing the “route inside 172.16.0.0 255.255.248.0 172.16.16.1”.
Having worked with the ASA's for a couple years and being the paranoid person I am. I wanted a second opinion. My solution to the issue was to set up stateful TCP bypass which seems to be more inline with the problem I'm seeing.
Sorry for the confusion I should have started with that.
04-17-2014 11:03 AM
The firewall has two conflicting routes:
1) route outside 0.0.0.0 0.0.0.0 172.16.0.1
2) route inside 172.16.0.0 255.255.248.0 172.16.16.1.
these are not conflicting routes.
The issue is that the second route is not used because the firewall thinks that the entire range is connected to the outside interface.
Jon
04-17-2014 11:10 AM
John is right, those routes don't really conflict. A route for 172.16.0.0 255.255.248 will never get installed because it's directly connected.
I doubt you have a problem with your VPN specifically. If you are getting missing SYN flags, you probably have asymmetric routing happening. The ASA will expect the typical 3-way handshake from the source and destination.
TCP bypass will help with this but you should probably look at fixing the asymmetry instead, unless asymmetry is what you're trying to do.
04-17-2014 11:18 AM
Thank you all for the clarification. No it's not. I don't have access to the upstream device its connected to unfortunately (or probably fortunately ) but that static route was the only thing that looked a bit strange to me. Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide