Cisco Cisco ASA 5580 Adaptive Security Appliance 문제 해결 가이드
ASA Has High CPU Usage Due to a Traffic Loop
When VPN Clients Disconnect
When VPN Clients Disconnect
Document ID: 116170
Contributed by Magnus Mortensen, Cisco TAC Engineer.
Aug 11, 2014
Aug 11, 2014
Contents
Introduction
Prerequisites
Requirements
Components Used
Related Products
Background Information
Problem: Packets Destined for a Disconnected VPN Client Loop Inside Internal Network
Problem: Directed (network) Broadcast Packets Generated by VPN Clients are Looped on an Inside
Network
Solutions to the Problem
Solution 1− Static Route for Null0 Interface (ASA Version 9.2.1 and Later)
Solution 2 − Use a Different IP Pool for VPN Clients
Solution 3 − Make the ASA Routing Table More Specific for Internal Routes
Solution 4 − Add a More Specific Route for the VPN Subnet Back Out of the Outside Interface
Prerequisites
Requirements
Components Used
Related Products
Background Information
Problem: Packets Destined for a Disconnected VPN Client Loop Inside Internal Network
Problem: Directed (network) Broadcast Packets Generated by VPN Clients are Looped on an Inside
Network
Solutions to the Problem
Solution 1− Static Route for Null0 Interface (ASA Version 9.2.1 and Later)
Solution 2 − Use a Different IP Pool for VPN Clients
Solution 3 − Make the ASA Routing Table More Specific for Internal Routes
Solution 4 − Add a More Specific Route for the VPN Subnet Back Out of the Outside Interface
Introduction
This document describes a common issue that occurs when VPN clients disconnect from a Cisco Adaptive
Security Appliance (ASA) that runs as a remote access VPN headend. This document also describes the
situation where a traffic loop occurs when VPN users disconnect from an ASA firewall. This document does
not cover how to configure or set up remote access to the VPN, only the specific situation that arises from
certain common routing configurations.
Security Appliance (ASA) that runs as a remote access VPN headend. This document also describes the
situation where a traffic loop occurs when VPN users disconnect from an ASA firewall. This document does
not cover how to configure or set up remote access to the VPN, only the specific situation that arises from
certain common routing configurations.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
Remote Access VPN configuration on the ASA
•
Basic Layer 3 routing concepts
•
Components Used
The information in this document is based on an ASA Model 5520 that runs ASA code Version 9.1(1).
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.