Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Interesting ASA problem -- duplicate IP & IPsec VPN remote access

I am running 8.0(2), look at the following output from ASA:

ASA5500#sh interface gi0/0

Interface GigabitEthernet0/0 "Outside", is up, line protocol is up

Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

MAC address 0018.b91b.55b6, MTU 1500

IP address 205.3.164.1, subnet mask 255.255.255.224

3421353595 packets input, 1734453023897 bytes, 10860859 no buffer

Received 276528 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 6484383 overrun, 0 ignored, 0 abort

0 L2 decode drops

1394329286 packets output, 279509809309 bytes, 0 underruns

0 output errors, 0 collisions, 3 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

input queue (curr/max packets): hardware (1/33) software (0/0)

output queue (curr/max packets): hardware (0/95) software (0/0)

Traffic Statistics for "Outside":

3421137849 packets input, 1646043223864 bytes

1394329411 packets output, 250264599199 bytes

86153516 packets dropped

1 minute input rate 3032 pkts/sec, 4145066 bytes/sec

1 minute output rate 1579 pkts/sec, 85978 bytes/sec

1 minute drop rate, 12 pkts/sec

5 minute input rate 627 pkts/sec, 725869 bytes/sec

5 minute output rate 389 pkts/sec, 41285 bytes/sec

5 minute drop rate, 11 pkts/sec

ASA5500# sh route

<irrelevant routes snipped>

O E2 205.3.164.1 255.255.255.255 [110/20] via 10.31.64.129, 0:40:47, Inside

<snipped>

So I have 205.3.164.1/27 as Outside interface IP address, and 205.3.164.1/32 is also learned from Internal network. Obviously this is a configuration mistake, no question about that.

Now here is my question: I happened to have this IP address for IPsec VPN remote access, when connection request comes in to this IP address, shouldn't ASA process it? in reality, it does not, but I want to understand what ASA is doing. If this is a router, CEF adjacency for this IP address would be receive, and this router would be able to process incoming request correctly. How would ASA behave differently?

1 REPLY
Silver

Re: Interesting ASA problem -- duplicate IP & IPsec VPN remote a

The ASA is learning the route for 205.3.264.1 from two different sources, this is different from having a vpn connection request. So the ASA is not taking this as a vpn request but just like a route which is learned from a neighbour.

331
Views
0
Helpful
1
Replies
CreatePlease login to create content