Guest

Preview Tool

Cisco Bug: CSCvs59056 - ASA/FTD Tunneled Static Routes are Ignored by Suboptimal Lookup if Float-Conn is Enabled

Last Modified

Jun 15, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.12(1.7) 9.9(2)

Description (partial)

Symptom:
1) VPN users are unable to reach certain services behind the firewall. 

2) Packets are dropped with the ASP code "no-adjacency". This can be confirmed by applying a capture with trace enabled.

# show cap
capture vpn type raw-data trace interface outside include-decrypted [Capturing - 188 bytes]
  match ip any host 192.168.20.150


Phase: 21
Type: SUBOPTIMAL-LOOKUP
Subtype: suboptimal next-hop
Result: ALLOW
Config:
Additional Information:
ifc selected is not same as preferred ifc
Doing route lookup again on ifc  dmz

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-adjacency) No valid adjacency

Conditions:
1) To have remote users or VPN tunnels using the ASA or FTD as Headend. 

2) Traffic coming from the VPN tunnel using an interface to route the destination traffic different to the one preferred by the routing table. For example, a NAT rule without route-lookup.

nat (dmz,outside) source static 192.168.20.0-net 192.168.20.0-net destination static RAVPN RAVPN

3) A tunneled static route added for the destination interface while the routing table is using a specified entry.

S        192.168.20.0 255.255.255.0 [1/0] via 192.168.2.11,  inside
S    0.0.0.0 0.0.0.0 [255/0] via 192.168.1.11, dmz tunneled

4) Floating-conn timeout configured (disabled by default with a value of 0:0:0).

timeout floating-conn 0:00:30
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.