Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

L2L static routes stuck in the ASA routing table.


I'm configuring an ASA V8.2(1) with remote access and L2L IPSec tunnel groups.

I configured inverse route injection to all of them, and i see this behaviour:

When a remote client or L2L establishes an IPSec tunnel, an static route with the remote subnet comes in the ASA routing table. But unlike the remote clients, (in which the static route vanishes as soon as the tunnel disconnects), in the case of L2L tunnels the static route gets stuck endlessly in the ASA routing table despite the L2L disconnection. This route persistence poses a design problem for me:

An organization plans to deploy two ASA, each one in different Data Centers with different global ip addresses. The L2L remote routers will also include the two IP address of both ASA so that they will connect recursively to the second IP in case of failure of the first one, providing thereby high availability.

To make it work, every ASA should announce by OSPF to the intranet the L2L learnt static routes by redistributing them.

But If the ASA of the first data center ceases to get internet access due to an ISP problem or whatever, it will keep announcing by OSPF the stuck static routes learned from previous L2L sessions, leading to a routing failure because two ASA would announce the same L2L routes.

Does somebody have any suggestion ot overcome this problem ?

Kind regards.


Re: L2L static routes stuck in the ASA routing table.

I don't have my copy in from of me, but the following book is good at design considerations with VPNs-

Hope it helps.

New Member

Re: L2L static routes stuck in the ASA routing table.

I post my self answer to my problem just for reference to anyone else.


The L2L tunnels in the ASA were defined as "bidirectional":

They should be defined as Answer-only. Conversely, the remote routers should be configured as originate-only.

When in Answer-only, the ASA boxes remove the reverse injection static route from the routing table as soon as the remote L2L disconnects.

(If in "bidirectional" the remote route stucks in the ASA routing table forever since the first time the tunnel is established)