03-17-2014 10:27 AM
03-17-2014 10:36 AM
So you're saying that despite having the IPSec SA for:
Traffic from 10.156.114.160/28 is not being sent through the tunnel to 10.5.32.0/29?
Post the routing table. Is the 10.5.32.0/29 prefix in there?
Maybe you need RRI?
crypto dynamic-map home_vpn_map 301 set reverse
03-17-2014 10:49 AM
Correct.
No theprefix is not in the routing table:
Gateway of last resort is 70.X.X.X to network 0.0.0.0
C 70.X.X.X 255.255.255.224 is directly connected, mrs_internet
C 10.156.151.64 255.255.255.248 is directly connected, cloud_wan
S 10.156.114.160 255.255.255.240 [1/0] via 10.156.151.65, cloud_wan
C 10.156.114.128 255.255.255.224 is directly connected, management
S* 0.0.0.0 0.0.0.0 [1/0] via 70.X.X.X, mrs_internet
I tried RRI, did not work
03-17-2014 11:01 AM
Try the RRI again. Remove the crypto map from the interface and apply it again.
Something is not allow the ASA to create the static route.
03-17-2014 01:04 PM
I cannot remove the crypto map from the interface because I have too many production VPNs on the appliance. I reapplied RRI and it is getting in the route table, no change in traffic though:
C 70.X.X.X 255.255.255.224 is directly connected, mrs_internet
S 10.5.32.0 255.255.255.248 [1/0] via 70.X.X.X, mrs_internet
C 10.156.151.64 255.255.255.248 is directly connected, cloud_wan
S 10.156.114.160 255.255.255.240 [1/0] via 10.156.151.65, cloud_wan
C 10.156.114.128 255.255.255.224 is directly connected, management
S* 0.0.0.0 0.0.0.0 [1/0] via 70.X.X.X, mrs_internet
03-17-2014 05:06 PM
opened a TAC case, we'll see if I can get anywhere with them.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: