This is probably a very simple question to answer. Are there supposed to be routes added to the ASA routing table for networks on a site-to-stie VPN? I set a L2L VPN up in the lab and I am not seeing this happen. Traffic flows between the two networks correctly, but I expected to see new routes pointing at my default gateway.
Thanks for the quick reply. It was actually another engineer that told me I should see new static routes to VPN subnets set on the outside interface with the outside interface next hop. I want to determine for myself if this the expect behavior or if that requires some kind of reverse route injection.
From my testing so far I have not see such routes. Would you happen to know which behavior is expected or be able to point me to some documentation that would detail that?
Note: Assume the VPN tunnel is established by a remote mobile user, and 192.168.105.1 is the assigned IP address by ASA.
ASA Routing Table
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
S 192.168.105.1 255.255.255.255 [1/0] via 172.16.1.1, outsideC 192.168.212.0 255.255.255.0 is directly connected, insi
C 172.16.1.0 255.255.255.0 is directly connected, outside
S 10.5.5.0 255.255.255.0 [1/0] via 172.16.1.1, outside
O 10.2.2.1 255.255.255.255 [110/11] via 192.168.212.3, 2:09:24, insi
O 10.1.1.1 255.255.255.255 [110/11] via 192.168.212.2, 2:09:24, insi
Tip: Even if RRI is not configured, the static route of the connected client is injected into the routing table of the VPN server (ASA/PIX). However, it is not redistributed to the internal router, which runs dynamic routing protocols, such as OSPF, EIGRP (if you run ASA 8.0).
So seems that in the case where you are running a routing protocol between the ASA and some router you would have to enable RRI for the VPN Client also.
Re: VPN networks added to routing table ASA 5505's
Alan is runing L2L or site-to-site vpn and RRI not working with site-to-site its purely feature of Remote access VPN. In site to site vpn both vpn site follow their own static or default route to communicate with each other.
Reverse Route Injection (RRI) is used to populate the routing table of an internal router that runs Open Shortest Path First (OSPF) protocol or Routing Information Protocol (RIP) for remote VPN Clients or LAN²LAN sessions.
Here is also one discussion where I specifically tested this for a user
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...