Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Route questions

interface Vlan1

 nameif inside
 security-level 100
 ip address 172.16.16.3 255.255.248.0

interface Vlan2
 nameif outside
 security-level 0
 ip address 172.16.0.3 255.255.248.0

 

route outside 0.0.0.0 0.0.0.0 172.16.0.1 1
route inside 172.16.0.0 255.255.248.0 172.16.16.1 1
route inside 172.20.0.0 255.255.248.0 172.16.16.1 1
route inside 172.22.0.0 255.255.248.0 172.16.16.1 1

 

Wouldn't the following statement's mask: route inside 172.16.0.0 255.255.248.0 172.16.16.1 1 also be encapsulated in the route outside?  So do we need the inside route necessarily?  Or is it possibly just a backup route in case the outside int goes out?  

 

Here is a sh route:

 

C    172.16.16.0 255.255.248.0 is directly connected, inside
C    172.16.0.0 255.255.248.0 is directly connected, outside
S    172.20.0.0 255.255.248.0 [1/0] via 172.16.16.1, inside
S    172.22.0.0 255.255.248.0 [1/0] via 172.16.16.1, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 172.16.0.1, outside

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

John is right, those routes

John is right, those routes don't really conflict. A route for 172.16.0.0 255.255.248 will never get installed because it's directly connected.

I doubt you have a problem with your VPN specifically. If you are getting missing SYN flags, you probably have asymmetric routing happening. The ASA will expect the typical 3-way handshake from the source and destination.

TCP bypass will help with this but you should probably look at fixing the asymmetry instead, unless asymmetry is what you're trying to do.

9 REPLIES
VIP Super Bronze

So do we need the inside

So do we need the inside route necessarily?  Or is it possibly just a backup route in case the outside int goes out?  

yes, you need the inside routes as well.  The inside routes covers the specific routes you need to get to e.g 172.20.0.0 255.255.248.0 and 172.22.0.0 255.255.248.0

the outside route is needed to get to everything else.

HTH

Community Member

Hi Reza,I understand I need

Hi Reza,

I understand I need the inside routes but this one seems odd to me.

route inside 172.16.0.0 255.255.248.0 172.16.16.1 1

Wouldn't this already be covered in the mask of the outside route?

VIP Super Bronze

Hi,Yes, it does, but specific

Hi,

Yes, it does, but specific routes take priority over default route.

so, when you try to get to 172.16.0.0/21 there is specific next hop in the routing table which is 172.16.16.1  for everything else to outside use default.

HTH
 

Community Member

Emrinaldo,A connected

Emrinaldo,

A connected interface has the lowest administrative distance, preferred over a static route. That's why you'll always see them in the routing table, as long as the interface is connected.

172.16.0.0/21 is the subnet of your outside interface. It's always going to take preference over anything you try to do.

Why are you trying to route the outside subnet to an inside next-hop? That route will never get into the fib.

Jan brings up a good question, what are you trying to do?

Bronze

Hi Emniraldo,i am not sure if

Hi Emniraldo,

i am not sure if I understand your question but

172.16.0.0/21 is range 172.16.0.1 - 172.16.7.254

and

172.16.16.0/21 has range 172.16. 16.1 - 172.16.23.254

So you want to route outside subnet (172.16.0.0/21) to inside ?

Please clarify what you want to do.

 

Thanks,

Jan

 

Community Member

I'm just trying to figure out

I'm just trying to figure out if there is an issue with our VPN.  We are seeing quite a lot of ASA-6-106015 TCP Missing SYN Flag.  A sr. engineer looked at my config and recommended the following:

The firewall has two conflicting routes:   

1) route outside 0.0.0.0 0.0.0.0 172.16.0.1  

2) route inside 172.16.0.0 255.255.248.0 172.16.16.1.

172.16.0.1(route to the world) is included in the  172.16.0.0 255.255.248.0 mask range and its routes to 172.16.16.1. I recommend removing the “route inside 172.16.0.0 255.255.248.0 172.16.16.1”. 

 

Having worked with the ASA's for a couple years and being the paranoid person I am.  I wanted a second opinion.  My solution to the issue was to set up stateful TCP bypass which seems to be more inline with the problem I'm seeing.  

 

Sorry for the confusion I should have started with that.

Hall of Fame Super Blue

The firewall has two

The firewall has two conflicting routes:   

1) route outside 0.0.0.0 0.0.0.0 172.16.0.1  

2) route inside 172.16.0.0 255.255.248.0 172.16.16.1.

these are not conflicting routes.

The issue is that the second route is not used because the firewall thinks that the entire range is connected to the outside interface.

Jon

Community Member

John is right, those routes

John is right, those routes don't really conflict. A route for 172.16.0.0 255.255.248 will never get installed because it's directly connected.

I doubt you have a problem with your VPN specifically. If you are getting missing SYN flags, you probably have asymmetric routing happening. The ASA will expect the typical 3-way handshake from the source and destination.

TCP bypass will help with this but you should probably look at fixing the asymmetry instead, unless asymmetry is what you're trying to do.

Community Member

Thank you all for the

Thank you all for the clarification.  No it's not.  I don't have access to the upstream device its connected to unfortunately (or probably fortunately smiley)  but that static route was the only thing that looked a bit strange to me.  Thanks again.

123
Views
5
Helpful
9
Replies
CreatePlease to create content