I have an "as needed" l2l VPN on a Cisco ASA, but when the VPN is down, causes a routing loop.
ie.
VPN UP:
1. Traffic to 172.16.1.1 (remote) gets to core and has a route to ASA-FW
2. Traffic is sent to ASA-FW and routed over VPN via crypto map
VPN DOWN:
1. Traffic to 172.16.1.1 (remote) gets to core and has a route to ASA-FW
2. Traffic is sent to ASA-FW and has a less specific route for 172.16.1.1 back to core
3. Traffic is sent back to core which again has route to ASA-FW (loop)
I think my best solution here is to add a Null0 route on the ASA-FW for the remote subnet (172.16.1.0/24), but there seems to be some confusion as to what that would actually do.
I've read that routing is decided first, and then if the next hop is part of a crypto-map, it will then decide to encrypt or not. But if that's true, wouldn't it see the route to Null0 and drop it before any crypto-map processing?
What should happen if I add this Null0 route? Is there a better solution? Thank you.
No comments:
Post a Comment