Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA creates RRI routes even from deny crypto map ACLs


Has anybody seen the same? The ASA creates RRI routes even for deny statements of the crypto map ACL. :-) So if you have a s2s VPN tunnel and you want some traffic not to be sent over the tunnel you make deny statements within the crypto map ACL. But those deny statements create also static routes in the routing table.

So my ASA is attracting traffic with RRI which I explicitly do not want to have at the ASA.

Is that a documented feature?

How can it be disabled without disabling RRI?

  • Firewalling
Everyone's tags (8)
Super Bronze

Re: ASA creates RRI routes even from deny crypto map ACLs


Wouldnt you leave all the traffic that you dont want tunneled out of the list to begin with?

And just specify the list to match only the traffic that needs to use the tunnel?

I cant remember EVER using deny statements on a L2L VPN access-list

Can you elaborate your situation abit more with the access-list and networks/hosts involved in the setup.

- Jouni

This widget could not be displayed.