Reverse Route Injection ( RRI ) for Lan 2 Lan ( L2L ) VPNs

Unanswered Question
Jun 5th, 2007

All,

Code7.2(2)

H/W: 535

What's the default behavior for Reverse Route Injection ( RRI ) for L2L VPNs ?

The reason I am asking is because when I add the following:

!

!crypto map OUT-Map 100 set peer 1.1.1.1

!crypto map OUT-Map 100 set transform-set Corporate-vpn

!crypto map OUT-Map 100 match address 192.168.255.1

!crypto map OUT-Map 100 set reverse-route

!

It adds a static to the pix routing table even when the VPN is not connected. Is that normal? We use RRI for our Remote Access VPN?s with dynamic crypto maps and the static route only appears when the VPNs are connected. We only want the routing injected when the VPN is connected because we redistribute the routing internally.

Thanks,

Ken

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jaffer_sathik2010 Tue, 06/05/2007 - 04:49

Ken,

Agreed. I have also seen that when we configure RRI for 'Remote access VPN',static routes are only created when VPN is UP

But, for L2L VPN static routes will be added even before establishing the VPN.I dont see any problem because of this nature :)

Are you facing any problem due to this?

--Jaffer

kenkaplan Wed, 06/06/2007 - 00:52

No, just our design.....

I was hoping it had the same behavior as the RA VPN?s. The documentation is very vague about L2L and RRI which does not help.

It seems to defeat the purpose of RRI for L2L because if I wanted a static I would have just added one. Sounds like a bug to me......

What do you think?

Here is what we are trying to achieve:

We have 2 internet pipes and 2 pix pairs, we are redistributing on the PIX with OSPF, we where planning to have the remote offices duel homed with L2L VPNs. The remote side would only be connected to one vpn peer, in the event that there was a outage on one of our MAIN sites it would roll over to the other site. The idea was RRI would have removed the route which we are redistributing into the internal network, when the VPN rebuilds to the other Peer RRI it would redistribute the new connection from that site.

The problem faced with "set reverse-route" is 2 routes into our internal network, so we have 2 of the same destination networks going out to different places which causes problems with traffic through the PIXs as well as possible black holes.

Regards,

Ken

jrahm Wed, 06/06/2007 - 05:23

That problem is why I chose the router path. With the IOS-based solution, you can reverse-route inject on active HSRP state.

There are some workarounds if you want to get creative. I had considered a TCL script on our first IOS ingress point to check tunnel status at the PIX termination and weight the received routes appropriately so that ony the active path would be selected internally.

rlloveras Fri, 03/28/2008 - 07:23

The problem i have with reverse route being enable on a L2L is it inject the static route on my ASA 5510 V.7.2(1). This causes certain routing issue when the network is back to normal. Is there anyway that i can have the static route dissapear when the tunnel is not in use or active.

jrahm Mon, 03/31/2008 - 04:34

My understanding is that the rri on the ASA platform is tied to the L2L definition, and can either be injected at all times or only during tunnel active state.

rlloveras Mon, 03/31/2008 - 05:45

When i configured the reverse route on a hub spoke L2L environment it causes problems due to the static be the defualt route out to the remote site even if though the tunnel is down. This causes routing problems for the VPN client that needs to access the remote network. If there is a way for the route to be injected when the tunnel is up. How do i do this. INstead of rever route just put a static route and give it a AD?

Actions

This Discussion