Cisco Support Community
Community Member

Redistributing dynamically created routes for vpn users into OSPF or EIGRP

Hello, community!

I'm working on what seems to be a simple task and i'm sad to admin but i need your help.

I have ASA5505 (running 9.0.3 software) which provides remote access to all kind of inside resources of the company where i currently work. As remote user gets connected ASA puts what seems to be a static route into routing table with /32 mask. My initial plan was to redistribute these routes into OSPF or EIGRP to send over to the core switch, but something is not right either with my plan or my implementation.


Let's say i decided to go with EIGRP (of course), here is what i do:


  • i create prefix list which would describe all possible routes for vpn users:

prefix-list VPN-USERS permit ge 32

  • i create route-map to match on this prefix-list:

route-map VPN-REDIST per 10

match ip add prefix-list VPN-USERS

  • i redistribute dynamic "static" routes into EIGRP while allowing only specific prefixes

router eigrp 100

redistribute static route-map VPN-REDIST metric 10000 1000 255 1 1500


Well, guess what? That doesn't work. Although redistribution works for other real static routes that i have configured on ASA if i remove route-map from redistribution, these vpn routes fail to be sent over to the core switch.

Any thoughts?

Best regards, Arseniy S. Ivanov
Everyone's tags (5)
Cisco Employee

A more efficient way (and

A more efficient way (and saving amount of prefixes) is to advertise a summary route for your local IP pools. 

Try with ACL instead of prefix-list too, just in case :-)

Community Member

I sort of solved the problem

I sort of solved the problem by creating static route on the core switch, which is more then o'k with me, it's just i wanted to know what's wrong with redistributing these /32s. :)

Best regards, Arseniy S. Ivanov
Cisco Employee

Well for starters:https:/

Well for starters:

hence I suggested using ACLs ;]

Community Member

just tried. negative.asa-vpn#

just tried. negative.


Checking ACL

asa-vpn# show access-list VPN-CLIENTS
access-list VPN-CLIENTS; 1 elements; name hash: 0x1d86a566
access-list VPN-CLIENTS line 1 standard permit (hitcnt=0) 0x5ab80128


Checkig route-map

asa-vpn# show route-map VPN_CLIENTS
route-map VPN_CLIENTS, permit, sequence 10
  Match clauses:
    ip address (access-lists): VPN-CLIENTS 
  Set clauses:


Checking EIGRP config

asa-vpn# show run router ei   
router eigrp 100
 eigrp router-id
 redistribute static metric 100000 1000 255 1 1500 route-map VPN_CLIENTS


Checking EIGRP neighbors

asa-vpn# show eigrp nei
EIGRP-IPv4 neighbors for process 100
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0             Vl16             12  00:07:57 1    200   0   1


Checking vpn routes

asa-vpn# show route outside              

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is to network

S [1/0] via, outside


Checking EIGRP topology

asa-vpn# show eigrp topo

EIGRP-IPv4 Topology Table for AS(100)/ID(

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status 

P, 1 successors, FD is 28160
        via Connected, Vlan16


as soon as i do:

asa-vpn(config)# route outside 


in the topology we get

asa-vpn(config)# show ei topo        

EIGRP-IPv4 Topology Table for AS(100)/ID(

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status 

P, 1 successors, FD is 28160
        via Connected, Vlan16
P, 1 successors, FD is 281600
        via Rstatic (281600/0)



sure enough this route is being propagated properly:

swCore(config-router)#do show ip route ei is variably subnetted, 2 subnets, 2 masks
D EX [170/281856] via, 00:01:31, Vlan16


Regarding 8.2 bug, well... i would hope this is fixed by now :)

Best regards, Arseniy S. Ivanov
Cisco Employee

It's a doc bug :-)

It's a doc bug :-)

CreatePlease to create content