Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

EasyVPN on ASA clients /32 loopback missing static route

Hello,

I have an ASA5520 that is setup as an EasyVPN server.  When my client connects all the IPSEC SA are created and the static routes appear on my ASA except for my loopback interface when configured with a /32 IP.  If I use a /24 everything works.

client Lo0 config that does not get a static route created on the ASA.

interface Loopback0

ip address 172.31.254.1 255.255.255.255

crypto ipsec client ezvpn MYGROUP inside

end

Output on the ASA

show route | i [.]254

S    10.254.100.0 255.255.255.0 [1/0] via [myasaip], outside

S    10.254.80.0 255.255.255.0 [1/0] via [myasaip], outside

S    10.254.60.0 255.255.255.0 [1/0] via [myasaip], outside

S    10.254.40.0 255.255.255.0 [1/0] via [myasaip], outside

S    10.254.20.0 255.255.255.0 [1/0] via [myasaip], outside

S    10.254.10.0 255.255.255.0 [1/0] via [myasaip], outside

When I chagne the Lo0 interface and use a /24 the static route does get created.

interface Loopback0

ip address 172.31.254.1 255.255.255.0

crypto ipsec client ezvpn MYGROUP inside

end

Output on the ASA after making loopback /24.

show route | i [.]254

S    172.31.254.0 255.255.255.0 [1/0] via [myasaip], outside

S    10.254.100.0 255.255.255.0 [1/0] via [myasaip], outside

S    10.254.80.0 255.255.255.0 [1/0] via [myasaip], outside

S    10.254.60.0 255.255.255.0 [1/0] via [myasaip], outside

S    10.254.40.0 255.255.255.0 [1/0] via [myasaip], outside

S    10.254.20.0 255.255.255.0 [1/0] via [myasaip], outside

S    10.254.10.0 255.255.255.0 [1/0] via [myasaip], outside

The appropriate SA is created in both cases.

  Crypto map tag: mymap, seq num: ##, local addr: [myasaip]

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (172.31.254.0/255.255.255.0/0/0)

Im just curious why it might be acting like this.

Thanks.

134
Views
0
Helpful
0
Replies
CreatePlease login to create content