Static routes through site to site tunnel

Similar Questions

• SA520w routing through site-to-site VPN tunnels

  I have several offices that are connected using site-to-site VPN tunnels and all will use the SA520W (firmware 2.1.18). I currently have 3 routers in place, router tunnels created for the router B and c of router. I need assistance with the configuration to allow the guests to router site B get to the router site C. I have attempted to add a static route, but get a destination unreachable host trying to ping. Also, if I connect to the router site has via the Cisco VPN client, I'm not able to get resources on each site, B, or C.

  A - the site 10.10.0.0/24

  Site B - 10.0.0.0/24

  Site of the C - 10.25.0.0/24

  Any help is greatly appreciated.

  So, that's what you have configured correctly?

  RTR_A

  ||

  _____________ || ___________

  ||                                            ||

  RTR_B                                RTR_C

  Since there is no tunnel between B and C there is no way for us past that traffic through RTR_A for two reasons. The most important reason is that subnet 10.25.0.0/24 (rtr_c) is not allowed to pass through the IPSec tunnel (it's okay to IPSec?) of rtr_a ==> rtr_b. You can't just add a statement of road because your addresses are not routable which is the reason why it fails.

  Your only option is to create another tunnel between rtr_b and rtr_c. This may not be the ONLY option, but you should get what you need.

  I hope this helps.

• Routing of traffic between two VPN Site-to-Site Tunnels

  Hi people,

  I am trying to establish routing between two vpn Site-to-Site tunnels which are destined for the same outside the interface of my Cisco ASA.

  Please find attached flowchart for the same thing. All used firewalls are Cisco ASA 5520.

  Two VPN tunnels between Point A and Point B, Point B and Point C is too much upward. I activated same command to permit security level interface also intra.

  How can I activate the LAN subnets traffic behind Point to join LAN subnets behind C Point without having to create a tunnel separated between Point A and Point C

  Thank you very much.

  Hello

  Basically, you will need to NAT0 and VPN rules on each site to allow this traffic.

  I think that the configurations should look something like below. Naturally you will already probably a NAT0 configuration and certainly the L2L VPN configuration

  Site has

  access-list NAT0 note NAT0 rule for SiteA SiteC traffic

  access-list allowed NAT0 ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

  NAT (inside) 0 access-list NAT0

  Note L2L-VPN-CRYPTO-SITEB access-list interesting traffic for SiteA to SiteC

  access-list L2L-VPN-CRYPTO-SITEB permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

  Where

  • NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteA SiteC NAT traffic
  • NAT = is the line of configuration NAT0
  • L2l-VPN-CRYPTO-SITEB = LCA in configurations VPN L2L that defines the SiteA LAN to LAN SiteC traffic must use the VPN L2L existing SiteB

  Site B

  access list OUTSIDE-NAT0 note NAT0 rule for SiteA SiteC traffic

  OUTSIDE-NAT0 allowed 192.168.1.0 ip access list 255.255.255.0 192.168.3.0 255.255.255.0

  NAT (outside) 0-list of access OUTSIDE-NAT0

  Note L2L-VPN-CRYPTO-SITEA access-list traffic for SiteA to SiteC through a Tunnel between A - B

  access-list L2L-VPN-CRYPTO-SITEA ip 192.168.3.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

  Note L2L-VPN-CRYPTO-SITEC access-list traffic for SiteA to SiteC through a Tunnel between B - C

  access-list L2L-VPN-CRYPTO-SITEC permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

  Where

  • OUTSIDE-NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteA SiteC NAT traffic. It is this time tied to the 'outer' interface, as traffic will be coming in and out through this interface to SiteB
  • NAT = is the line of configuration NAT0
  • L2l-VPN-CRYPTO-SITEA (and SITEC) = are the ACL in the configurations of VPN L2L that defines the SiteA LAN to LAN SiteC traffic should use existing VPN L2L connections.

  Site C

  access-list NAT0 note NAT0 rule for SiteC SiteA traffic

  NAT0 192.168.3.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

  NAT (inside) 0 access-list NAT0

  Note list-access-L2L-VPN-CRYPTO-SITEB SiteC to SiteA interesting traffic

  L2L-VPN-CRYPTO-SITEB 192.168.3.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

  Where

  • NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteC to SiteA NAT traffic
  • NAT = is the line of configuration NAT0
  • L2l-VPN-CRYPTO-SITEB = LCA in configurations VPN L2L that defines the SiteC LAN to LAN SiteA traffic must use the VPN L2L existing SiteB

  To my knowledge, the foregoing must manage the selection NAT0 and traffic for VPN L2L connections. Naturally, the Interface/ACL names may be different depending on your current configuration.

  Hope this helps

  -Jouni

• Next hop for the static route on the VPN site to site ASA?

  Hi all

  I would be grateful if someone could help me with my problem ASA/misunderstanding. I have a VPN site-to site on a SAA. I want to add a floating static route to point to the VPN on the ASA. Note that the traffic in this way is not with in subnets cryptographic ACL that is used to bring up the VPN. This VPN is used only as a backup.

  The static route with the next hop add local public address or the remote public address of the VPN? The next break maybe local ASA isp internet facing interface? I intend to do on the ASDM. I'm sorry if it's a simple question but I found no material that explains this?

  Concerning

  Ahh, ok, makes sense.

  The next hop should be the next jump to the interface that ends the VPN connection, essentially the same as your Internet connection / outside the next hop interface.

  Example of topology:

  Site B (outside interface - 1.1.1.1) - (next hop: 1.1.1.2) Internet

  The static route must tell:

  outdoor 10.2.2.2 255.255.255.255 1.1.1.2 200

  I hope this helps.

• Router vpn site to site PIX and vpn client

  I have two on one interface on the pix vpn connections that terminate VPN. client vpn and VPN site-to-site have passed phase one and two and decrypt and encrypt the packets. However as in another post I can not ping through the l2l vpn. I checked this isn't a nat problem a nd two NAT 0 on the pix and the NAT on the router access lists work correctly.

  ISAKMP crypto RTR #show its
  IPv4 Crypto ISAKMP Security Association
  status of DST CBC State conn-id slot
  66.x.x.x 89.x.x.x QM_IDLE 2001 0 ACTIVE

  IPv6 Crypto ISAKMP Security Association

  local ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)
  current_peer 66.x.x.x port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: 23583, #pkts encrypt: 23583 #pkts digest: 23583
  #pkts decaps: 18236, #pkts decrypt: 18236, #pkts check: 18236
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  #send 40, #recv errors 0

  local crypto endpt. : 89.x.x.x, remote Start crypto. : 66.x.x.x
  Path mtu 1380, ip mtu 1380, ip mtu BID Dialer0
  current outbound SPI: 0xC4BAC5E (206285918)

  SAS of the esp on arrival:
  SPI: 0xD7848FB (225986811)
  transform: aes - esp esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 3, flow_id: Motorola SEC 1.0:3, card crypto: PIX_MAP
  calendar of his: service life remaining (k/s) key: (4573083/78319)
  Size IV: 16 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xC4BAC5E (206285918)
  transform: aes - esp esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 4, flow_id: Motorola SEC 1.0:4, card crypto: PIX_MAP
  calendar of his: service life remaining (k/s) key: (4572001/78319)
  Size IV: 16 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  Expand the IP NAT access list
  10 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 (21396 matches)
  20 permit ip 192.168.2.0 0.0.0.255 everything (362 matches)
  Expand the IP VPN_ACCESS access list
  10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 (39724 matches)

  I looked on the internet and that it points to a routing error when packets are being encrypted and decrypted, but you can't do a ping on the binding. However when I test the connection I did not enter any of the static routes that networks are connected directly on each side of the pix and the router. any help would be a preciated as I think there's maybe something is blocking the ping to reach the internal network at the end of pix with a configured access list.

  is ping failure of the only thing between the site to site VPN? and assuming that all other traffic works fine since it decrypts and encrypts the packets.

  If it's just ping, then activate pls what follows on the PIX:

  If it is version 6.3 and below: fixup protocol icmp

  If it is version 7.0 and higher: select "inspect icmp" under your political map of the world.

  Config complete hand and on the other could help determine if it's a configuration problem or another problem.

• Routing access to Internet through an IPSec VPN Tunnel

  Hello

  I installed a VPN IPSec tunnel for a friend's business. At his desk at home, I installed a Cisco SA520 and at it is remote from the site I have a Cisco RVS4000. The IPSec VPN tunnel works very well. The remote site, it can hit all of its workstations and peripheral. I configured the RVS4000 working in router mode as opposed to the bridge. In the Home Office subnet is 192.168.1.0/24 while the subnet to the remote site is 192.168.2.0/24. The SA520 is configured as Internet gateway for the headquarters to 192.168.1.1. The remote desktop has a gateway 192.168.2.1.

  I need to configure the remote site so that all Internet traffic will be routed via the Home Office. I have to make sure that whatever it is plugged into the Ethernet on the RVS4000 port will have its Internet traffic routed through the Internet connection on the SA520. Currently I can ping any device on the headquarters of the remote desktop, but I can't ping anything beyond the gateway (192.168.1.1) in the Home Office.

  Any help would be greatly appreciated.

  Thank you.

  Hi William, the rvs4000 does not support the tunnel or esp transfer wild-card.

• Routing between sites that use the site to site VPN

  I'm running 7.2 (1) two 515 who have a VPN site-to-site set up a bit as follows:

  subnets of the main site - router main site - PIX1___Public IP's___PIX2 - remote site

  The main site router: CAT6506 with engine SUP1A

  Subnets listed in motor SUP:

  SUB1 VLAN

  IP address 180.x.1.x.255.254.0

  VLAN SUB2

  IP address 180.x.2.x.255.254.0

  VLAN SUB3

  IP address 180.x.3.x.255.254.0

  VLAN SUB4

  IP address 180.x.4.x.255.255.240

  PIX1 is the subnet SUB4 (180.20.4.2)

  Remote site subnet: 192.168.1.0/24

  Route the engine by default Overtime toward another router that reached the internet via another public IP subnet.

  Any host on SUB4 can reach any host on the remote site as long as the SUB4 host default gateway is the inside int PIX1 (180.20.4.2).

  No matter what SUB4 host that uses the 180.20.4.1 address (router) default gateway cannot communicate with a remote host, but can communicate with any host from any subnet of the main site.

  All remote hosts can communicate with any host on SUB4, regardless of the gateway of the SUB4 host address.

  All remote hosts can communicate with the router on SUB4 main site, but can not reach one of the other interfaces subnet configured on the router.

  I've added a static route on the SUP engine:

  router IP 192.168.1.0 255.255.255.0 180.20.4.2

  That did not help.

  The uses of motor SUP EIGRP to learn other subnets main site reached through routers, so I added the remote subnet to that:

  Router eigrp 10

  redistribute static

  network 180.20.0.0

  network 192.168.1.0

  No Auto-resume

  No log-neighbor-changes to eigrp

  No chance, no more.

  I can't help thinking that I'm missing something very basic.

  Any help is really appreciated

  Hello

  PLS, find the changes that must be made and checked.

  PIX remotely:

  1. you only need a default route and that you can route your subnets via inside as they are outside, so remove these statements

  2.i see Access-group configured to be applied to the external interface for traffic coming from the outside, make sure that all required subnets are allowed.

  3. in the access list for the corresponding traffic to cryptomap, I see that one included subnet, pls have all included traffic that must be encrypted (as sub1, sub2..)

  Main PIX:

  1. in the access list for the corresponding traffic to cryptomap, I see that one included subnet, pls have all included traffic that must be encrypted (as sub1, sub2..)

  2. is there an 'access-group outside_access_in' access list present in the pix the corresponding traffic - check - the pls

  3. by nat (inside) 0 access-list inside_nat0_outbound, include all your inside subnets that must have access to the remote subnet

  L3 switch:

  1.I see a default route pointing to your router 3640, so pls add a static route to your remote subnet pointing to Pix

  IP route 192.168.1.0 255.255.255.0 x.x.22.2

  2. pls check in your L3 switch, wheter the appropriate subnets sub1, sub2 are learned properly via the conifugred Eigrp VLAN respective

  for example .sub2 and sub3 learning with leap following 8.2, sub 5 via 30.3

  Pls try to understand the topology and make configuration changes and let us know the results

  concerning

  k VB

• I can't scroll through sites that I connect. something happened in mozilla firefox. It allows to work when I am connected to a Web page, but not now. all I can do is

  I can't scroll through sites that I connect. something happened in Firefox Mozilla. He used to work when I am connected to a Web page, but not now. all I can do is to manipulate the page through links on the page. No sidebar to scroll or the other. It works fine in Explorer, so I know it's a problem with Firefox, also can scroll etc on pages like MSN, Yahoo, etc., but does not not using Firefox, when I connect to one Web site other than the one which is also a search engine, what happened? can you help me?

  You get a pop-up window or dialog style without menu or the toolbar either? In this case:

  38 of Firefox has a little problem with this combination of circumstances:

  (1) turned off tabbed browsing
  (2) viewing a page in a private window
  (3) you click on a link encoded with target = "_blank", which launches the link in a new window

  The new window opens without menus, toolbar, scroll bars, etc.

  Work on this bug is in progress, but I don't know if the fix will be available in the coming weeks. These are the known workarounds so you can continue using windows browsing private - one of them will work around the bug:

  (1) use tabbed browsing (there is a checkbox in Options > general > "Open new windows in a new tab instead");

  (2) shift + click the links to open in a new window with standard features. or

  (3) change a bunch of hidden settings as explained below - it will not you make changes to the way you use Firefox, but sometimes you need to enlarge some small pop-up windows that have been sized for a window with no toolbar displayed.

  # 3, here are the steps:

  (A) in a new tab, type or paste Subject: config in the address bar and press ENTER. Click on the button promising to be careful.

  (B) in the search above the list box, type or paste feat and make a pause so that the list is filtered

  (C) for each preference that begins with dom.disable_window_open_feature. , if it is not 'true', double-click it to true.

  You may find that you prefer this anyway, given that sites can band is more these pop-up windows features.

  Who is relevant or do you have a different question?

• Client needs to access the devices on the existing site to site tunnels

  Hello and thanks in advance.

  We use ASA5510 in respect to the vpn appliance and currently have 90 + vpn tunnels (site to site tunnels) ipsec connected to this ASA.

  Recently, we configure a tunnel for one of our customers (site in tunnel).

  Now, this client must have access at least 10 existing tunnels a site that I have.

  They must be able to access the devices on this segment.

  How should I proceed with this application?

  Can I update all existing tunnels site at 10 to add this range of ip addresses of places (clients)?

  Yes, you need to add this new subnet as interesting traffic on all 10 tunnels (on card crypto ACL) If you need two-way communication.

  Kind regards

  Averroès.

• How to disable a site tunnel on cisco asa

  Hi all, anyone know how to turn off a vpn site to site tunnel on my asa without deleting?

  see you soon

  Carl

  Carl,

  Has made this suggestion to the problem you are looking for?

  So is there a particular reason why you ask many qustions and not note or even to say thank you?

• Route VPN site to site on one path other than the default gateway

  I want to route VPN site-to-site on one path other than the default gateway

  ASA 5510

  OS 8.0 8.3 soon

  1 (surf) adsl line interface default gateway

  line 1 interface SDSL (10 VPN site-to-site)

  1 LAN interface

  What's possible?

  Thank you

  Sorry for my English

  Here is the assumption that I will do:

  -Your IP SHDL is 200.1.1.1, and the next hop is 200.1.1.2

  -Your LAN-to-LAN ends on this interface (interface card crypto SHDL)

  -VPN peer 1 - 150.1.1.1 and LAN is 192.168.1.0/24

  -VPN peer 2 - 175.1.1.1 and LAN is 192.168.5.0/24

  This is the routing based on the assumption above:

  Route SHDL 150.1.1.1 255.255.255.255 200.1.1.2

  Route SHDL 175.1.1.1 255.255.255.255 200.1.1.2

  Route SHDL 192.168.1.0 255.255.255.0 200.1.1.2

  Route SHDL 192.168.5.0 255.255.255.0 200.1.1.2

  Hope that helps.

• asa himself through site to site vpn access server

  Hello

  I have problem with access to the servers through site to site vpn to ASA that makes this vpn site-to-site and Clientless VPN enablerd.

  Reason why I need it / what I do:

  ASA 5510 enabled Clientless VPN and on this Portal allows users to access internal servers through bookmars URL. We use it when someone wouldn't access IPSec VPN or in an internet café. If this user connects to clientless vpn and click on the bookmark to access for example mail server. But there is problem, asa cannot access this server through VPN site-to-site.

  Network:

  Here's a quick design of my network.

  

  I don't have server access to the problem in the VLAN 159 of VLAN 10, or 100. But I need to be able to access the server in Vlan 159 of ASA 5510, who owns the IP 192.168.1.4.

  I have this subnet ASA owned by FRONT-NAT object in the same place that VLAN 10 to 100 are and vpn Site-to-Site profile.

  What I makeover or how can I solve it?

  Thank you

  Clientless VPN when accessing internal servers, it will use the closest to the source of the connection interface and if you connect to via clientless SSL VPN ASA5510 and need access ASA5505 LAN via the site to site VPN, the interface closest to the ASA5510 to ASA5505 LAN is ASA5510 outside interface, therefore, the vpn of site-to-site crypto ACL must match on ASA5510 outside the ip address of the interface.

  Here's what you need on each ASA:

  ASA5510:

  permit same-security-traffic intra-interface

  ip 192.168.159.0 external interface allowed access list 255.255.255.0

  ASA5505:

  ip 192.168.159.0 access list allow 255.255.255.0 host

  In addition, also need to add the same ACL for access-list of exemptions on ASA5505 NAT:

  ip 192.168.159.0 access list allow 255.255.255.0 host

  Hope that helps.

• SGE2010 customers have need to route through ASA 5505 & 3750

  Please see the included diagram.

  I need to move out of the 3750 client machines (and DHCP dependence on it) to the SGE2010 and absolutely to carry their internet traffic on through the external interface on the 5505. They must also be able to communicate in the internal environment to communicate with the production servers.

  Customers use actuellement.254 speaking through a silent dell in the 3750 switch, but I'm trying to migrate more slowly at la.253. I know that the 2010 will not DHCP, so I put a DHCP server on this switch now. The 5505 will not let me add a statement additional nameif on one of the other eth0 / x interfaces and I don't know if this has something to do with its capacity to act as a DHCP server (it is not an option in the ASDM) or he has ability to use internet gateway for customers in 2010. (Quick notes: The 5505 has a base license and is currently also site to 1 VPN connection.) As the 5520, then all its interfaces are used as well).

  I have statically assigned a customer moved with an adresse.253 and plugged into the 2010. I tried to give the 2010 both an adresse.4 and an adresse.253 but neither will allow me to ping on the 5505 addresses. The 2010 auto shows routes to two subnets and I put its default route to 253.1.

  The link between 2010 and the 3750 works - clients receive an adresse.254 of the 3750 and can get out to the internet via the 5505 and reach as well production servers.

  Why don't the 2010 see the 5505 as a gateway and allow customers to access the internet and also browse the 3750 when they need to access the production network?

  Now, the key to monkey. The reason why I am not "just connect both cheating and call a day is because I need also Always go out production servers / web applications via the interface of 5520 out outside/inside."

  I have such a package of wire trouble my head around why I can't get my customers moved to the new switch, I have not yet figured out how I'll do it again.

  Any help would be greatly appreciated.

  Scott

  Hi Scott,.

  OK, you'll have several IP networks connected on the SGE2010... that's fine that the switch can operate in Layer 3 mode.

  But the ASA5505 or the SGE2010 may only be granted to PC customers who are hooked the switch SGE2010 default gateway ports?

  If the SGE2010 is made the default gateway for the PC clients, the SGE2010 will go to layer 3 packets between appropriate subnets.

  (depending on whether you have added a few static routes inside your SGE2010)

  If the SAA is the gateway to the host PC, the ASA will route traffic accordingly.

  Best regards, Dave

• RV042 Question of static routing

  I am currently using RV042 in the two-WAN backup mode. However, I tried the redundant option and think it's to give me more bandwidth and better performance than only the WAN.

  My problem is that in redundant mode, I am unable to use a few sites that I use on a regular basis. One of the sites is our Web Timesheet hosted service and their website will just crazy when I try to access the router set up in redundant mode. I am still not able to connect to their site, and it is important for my daily work.

  My question is - can I configure static for some sites routes so that the router knows he must access them through my WAN alone? For example, if my site of timesheet software is 123.123.123.123, and my favorite WAN gateway is 68.68.68.68, I can the router only to access this site through the specific gateway, even if the router is configured to use either WAN?

  I tried static routes and it doesn't seem to work at all.

  For example:

  Site: 123.123.123.123

  SM: 255.255.255.0

  Gateway 68.68.68.68

  When I save it and run the tracert to 123.123.123.123, it passes through the other door, and not that I mentioned here.

  Any tips are appreciated.

  Thank you
  Alex P.

  If your help it balance mode, go to system management support and scroll down to protocol binding.  Chances are you're going to a site secured with the two beginning of work and the site sees a connection with two upcoming ip home addresses and interrupts the connection.  You can perform a binding protocol for all your https traffic out a wan for all your network ip addresses and this should solve the problem.  You can do it for mail and other protocols that would be stripped by the dual wan.  I hope this helps.
  

• Static route of VPN in EIGRP redistribution (FD is Inaccessible)

  Hi all

  I redistribute the site to site VPN static route in EIGRP, but what I noticed on the 6509 when I sh ip eigrp 200 topol, the static route to the ASA "FD is inaccessible."

  6509 output:

  Topology EIGRP-IPv4 for AS(200)/ID(10.33.95.34 table)

  Code: P - passive, A - Active, U - update, Q - Query, R - reply,.

  r response status, s - AIS status

  P 199.x.x.240/28, successors 1, FD 53760, tag is 36539

  through reallocation (53760/0)

  P 10.64.129.0/24, successors 1, FD is 28416

  Via 10.210.98.200 (28416/28160), Vlan98

  P 10.1.2.0/24, 0 successors, FD is Inaccessible

  Via 10.210.98.200 (28416/28160), Vlan98

  P 10.210.98.0/24, successors 1, FD is 2816

  Via connected, Vlan98

  ASA5510 output:

  Topology EIGRP-IPv4 for AS(200)/ID(10.64.129.253 table)

  Code: P - passive, A - Active, U - update, Q - Query, R - reply,.

  r response status, s - AIS status

  P 10.1.2.0 255.255.255.0 successors 1, FD is 28160

  Via Rstatic (28160/0)

  P 10.64.129.0 255.255.255.0 successors 1, FD is 28160

  Via connected, Ethernet0/0

  P 199.x.x.240 255.255.255.240, successors 1, FD 79360, tag is 36539

  Via 10.210.98.254 (79360/53760), Ethernet0/1

  P 10.210.98.0 255.255.255.0 successors 1, FD is 28160

  Via connected, Ethernet0/1

  The ASA config:

  200SW_EIGRP list standard access allowed 10.1.2.0 255.255.255.0

  permissible static in eigrp route map 10

  200SW_EIGR match ip address

  Router eigrp 200

  redistribute static static in eigrp route map

  external route 10.1.2.0 255.255.255.0 x.x.x.

  Thank you

  Thomas,

  When the flight director is not accessible in the EIGRP topology table, the router does not use this EIGRP route in its routing table.

  Probably, the road is overridden by any other routing protocol that has the lowest administrative distance.

  Could you please share the routing table?

  Thank you.