RRI, why doesn't it work without it ...

Unanswered Question
Oct 13th, 2007
User Badges:

Hi there,

I've got a Concentrator(3015, 4.7.2.G) to ASA (5505, 8.0(2)) IPSec L2L connection.


The encryption domain is set to 192.168.14/24 <-> 10.10.20/24. The IPSec SAs are negotiated correctly.

Trying to ping from ASA(inside) to the Concentrator(inside), puts some packets into the tunnel (shown on both devices session info) but the Concentrator doesn't send anything back.

After enabling Reverse Route Injection, the ASA's ping is answered. But packets from a host within the Concentrators Inside network are send to the ASA and are decrypted there (showing an "recv error" per decrypted packet) but now there's no answer back.

I'm confused (and tired ;-), why do I have to enable RRI? What has to be done on the ASA (RRI, too?)? Is it possible to avoid RRI completely in this scenario?

Many thanks for any comment,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion