Preview Tool

Cisco Bug: CSCvs59056 - ASA/FTD Tunneled Static Routes are Ignored by Suboptimal Lookup if Float-Conn is Enabled

Last Modified

Sep 17, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.12(1.7) 9.9(2)

Description (partial)

1) VPN users are unable to reach certain services behind the firewall. 

2) Packets are dropped with the ASP code "no-adjacency". This can be confirmed by applying a capture with trace enabled.

# show cap
capture vpn type raw-data trace interface outside include-decrypted [Capturing - 188 bytes]
  match ip any host

Phase: 21
Subtype: suboptimal next-hop
Result: ALLOW
Additional Information:
ifc selected is not same as preferred ifc
Doing route lookup again on ifc  dmz

input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-adjacency) No valid adjacency

1) To have remote users or VPN tunnels using the ASA or FTD as Headend. 

2) Traffic coming from the VPN tunnel using an interface to route the destination traffic different to the one preferred by the routing table. For example, a NAT rule without route-lookup.

nat (dmz,outside) source static destination static RAVPN RAVPN

3) A tunneled static route added for the destination interface while the routing table is using a specified entry.

S [1/0] via,  inside
S [255/0] via, dmz tunneled

4) Floating-conn timeout configured (disabled by default with a value of 0:0:0).

timeout floating-conn 0:00:30
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.