Yeah am wondering the same.... how it shows the metric of 2 for a static route.... it should show 1/0

Gateway of last resort is 10.0.0.1 to network 0.0.0.0

S    2.2.2.2 255.255.255.255 [1/0] via 20.0.0.1, out
C    20.0.0.0 255.255.255.0 is directly connected, out2
C    10.0.0.0 255.255.255.0 is directly connected, out
S*   0.0.0.0 0.0.0.0 [1/0] via 10.0.0.1, out
S    0.0.0.0 0.0.0.0 [255/0] via 20.0.0.1, out2
ciscoasa(config)#

Even in my lab its showing 1/0....

But i doubt with the behaviour of pppoe here.....

Regards

Karthik

That was a typo. But if I change it to AD 1, its the same.

I did a write erase and start over the config. But only the relevant config. And i have still the same problem. Should i try to upgrade to the newest ASA Software?

Yes, an upgrade of the software would be my next suggestion.

--

Please remember to select a correct answer and rate helpful posts

Hi Patrick,

I guess we need to tweak something related to the PPPoE.... you have one isp with pppoe and other with ethernet..... We need to get this clarified before we go with OS upgrade option....

Regards

Karthik

Even i have posted this query in ask expert discussion. Lets see how best we can solve this.

Regards

Karthik

Hi Karthik.

I did it like you instruct me to do :-) And now i have the cryptos in the right order. But still the same problem the VPN still goes out the wrong interface.

And guess what, if you write the config to the startup and reboot the ASA, The cryptos are again in the wrong order.

I try now to change the nameif OUT2 and OUT1.

I still thinking about a Bug on the Software.

Thanks Patrick

So i changed the nameif's too. Now the Vlans looks like this:

interface Vlan2
 description *** BACKUP ***
 no forward interface Vlan1
 nameif OUT2
 security-level 0
 pppoe client vpdn group pppoex
 ip address pppoe
!
interface Vlan3
 description *** OUTSIDE ***
 nameif OUT1
 security-level 0
 ip address 217.168.46.157 255.255.255.248

But still the same problem. The traceroute is good like it was before.

Traceroute to Internet over ISP1:

ciscoasa# traceroute 8.8.8.8

Type escape sequence to abort.
Tracing the route to 8.8.8.8

 1  213.3.243.154 10 msec 10 msec 20 msec
 2  213.3.246.110 10 msec 20 msec 20 msec
 3  195.186.0.74 10 msec 20 msec 20 msec
 4  195.186.0.74 10 msec 20 msec 20 msec
 5  138.187.129.143 10 msec 10 msec 10 msec
 6  138.187.130.108 10 msec 20 msec 20 msec
 7  72.14.222.46 10 msec 20 msec 20 msec
 8  72.14.232.120 20 msec
    66.249.94.52 30 msec 20 msec
 9  209.85.251.178 20 msec 30 msec
    72.14.234.237 20 msec
 10 209.85.254.112 20 msec
    209.85.254.114 20 msec 20 msec

Traceroute to VPN Peer over ISP2:

ciscoasa# traceroute 217.192.12.162

Type escape sequence to abort.
Tracing the route to 217.192.12.162

 1   *  *  *
 2  217.168.52.245 10 msec 20 msec 10 msec
 3  84.116.202.237 10 msec 30 msec 10 msec
 4  84.116.134.22 10 msec 10 msec 20 msec
 5  193.5.122.148 10 msec 10 msec 20 msec
 6  138.187.129.54 10 msec 10 msec 20 msec
 7  138.187.129.111 10 msec 20 msec 10 msec
 8  138.187.132.172 10 msec 10 msec 20 msec
 9  217.193.52.146 10 msec 10 msec 20 msec

But the VPn traffic still completely refuse to use the ISP2 as the Gateway.

Some more info's, if I manually shut down the Vlan2 then VPN takes the right path.

Best regards Patrick

Hi Patrick,

Manually shuting down VLAN2 is something like shutting the ISP1 link which goes via PPPoE.

Yeah. I suggest you to get the TAC case raised for this. Since i have the limited option to do LAB on this setup. I shall try to suggest some more testing meanwhile to sort this out.

Can you try this thing? Please remove the tunnel parameters and break the VPN connection and try doing trace without having VPN established between sites..... trace towards general internet IP as well as peer IP.

This shows some lite in this issue.

Regards

Karthik

HTH

Regards

Karthik

Guys, thanks for your great support.

I think it's a bug, and I'll go do a TAC Case.

Best Regards Patrick

Guys, it wasn't a bug. It's just something special.

The TAC Engineer did a great job and found the solution.

We just missed that little route in our config:

route OUT1 10.41.16.0 255.255.252.0 217.168.46.153 1 track 1
 

For some reason the VPN Traffic needs a dedicated route

The whole route entry's should look like this:

route OUT1 217.192.12.162 255.255.255.255 217.168.46.153 1 track 1
route OUT1 10.41.16.0 255.255.252.0 217.168.46.153 1 track 1
route OUT2 0.0.0.0 0.0.0.0 213.3.242.151 1 track 2
route OUT1 0.0.0.0 0.0.0.0 217.168.46.153 254
route OUT2 217.192.12.162 255.255.255.255 213.3.242.151 254

Hi Patrick,

Ohhh... even the encryption domain we need to add in a static route.... but its quite intresting why we need that.. Thanks for notifying this... Its a good learning for me as well....

Regards

Karthik

The issue, as you have noticed, is not with the order of how it appears in the config...the only crypto config that order matters in is the crypto maps.

This is a routing issue as the admin distance of the static route pointing out OUT2 is higher than the default route...why that is could very well be a bug or something we are overlooking.  I have also set up this config in my lab and do not have this problem.  The only exception is I did not have PPPOE setup.

--

Please remember to select a correct answer and rate helpful posts

Yeah agree with you marius... But its just a try with the available options.... Earlier post was showing incorrect admin distance due to typo error while modifying actual information on output..... In the recent post he clarified that it takes the admin distance of 1/0.... So that should not be the problem.....

sh route:

Gateway of last resort is 213.3.242.151 to network 0.0.0.0

C    172.30.140.0 255.255.255.0 is directly connected, INS1
S    217.192.12.162 255.255.255.255 [1/0] via 217.168.46.153, OUT2
C    217.168.46.152 255.255.255.248 is directly connected, OUT2
S*   0.0.0.0 0.0.0.0 [1/0] via 213.3.242.151, OUT1