Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ipsec UDP reverse path check

Hi,

ASA running 8.2(5).

When vpn clients connect with a ipsec vpn client configured as a zero tunnel route (0.0.0.0/0) the ASA logs the below:

Deny UDP reverse path check from 192.168.200.47 to 192.168.11.200 on interface HOSTING

192.168.200.0/24 is the subnet where the ipsec clients gets a ip address from when connecting.

192.168.11.200 in this case the the clients own local subnet. Is it expected that the ASA box will log these messages from clients local subnet when they are connected with ipsec vpn and it is a zero tunnel configuration?

Interfaces and routes:

Current available interface(s):

  DATA-BACKUP     Name of interface Redundant1.10

  DMZ             Name of interface Redundant1.900

  GUEST           Name of interface Redundant1.990

  HOSTING         Name of interface Redundant1.100

  Infrastruktur   Name of interface Redundant1.20

  Intern          Name of interface Management0/0

  OUTSIDE-BACKUP  Name of interface Redundant1.998

  PHONE           Name of interface Redundant1.200

  SPECTRA-LAN     Name of interface Redundant1.50

  outside         Name of interface Ethernet0/3

Gateway of last resort is 1.2.3.4 to network 0.0.0.0

C    172.31.0.0 255.255.255.0 is directly connected, DMZ

S    192.168.200.46 255.255.255.255 [1/0] via 1.2.3.4, outside

S    192.168.200.47 255.255.255.255 [1/0] via 1.2.3.4, outside

S    VPN-hosting 255.255.255.0 [1/0] via 192.168.200.1, outside

C    93.167.197.80 255.255.255.240 is directly connected, outside

S    10.100.110.0 255.255.255.0 [1/0] via 10.100.110.1, outside

C    10.10.10.0 255.255.255.0 is directly connected, GUEST

C    10.100.100.0 255.255.255.0 is directly connected, Intern

S    10.100.101.0 255.255.255.0 [5/0] via 10.100.100.252, Intern

S    10.100.0.0 255.255.0.0 [10/0] via 10.100.100.252, Intern

C    10.200.100.0 255.255.252.0 is directly connected, PHONE

C    10.199.1.0 255.255.255.0 is directly connected, Infrastruktur

C    10.199.0.0 255.255.255.0 is directly connected, DATA-BACKUP

C    192.168.254.0 255.255.255.0 is directly connected, HOSTING

S*   0.0.0.0 0.0.0.0 [1/0] via 1.2.3.4, outside

S    192.168.0.0 255.255.0.0 [5/0] via 192.168.254.1, HOSTING

Regards

Robert

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

ipsec UDP reverse path check

Yes, because you don't configure split tunnel, all traffic including local vpn client subnet will also be routed through the VPN tunnel. If your vpn client needs to access their own local LAN while connected to the VPN tunnel, then you would need to configure split tunnel.

2 REPLIES
Super Bronze

ipsec UDP reverse path check

Yes, because you don't configure split tunnel, all traffic including local vpn client subnet will also be routed through the VPN tunnel. If your vpn client needs to access their own local LAN while connected to the VPN tunnel, then you would need to configure split tunnel.

New Member

ipsec UDP reverse path check

Thanks.

Robert

1137
Views
0
Helpful
2
Replies