06-04-2008 11:41 PM - edited 02-21-2020 03:45 PM
I have configured a 2811 with pppoe and fix ip address with adsl, the use it as easy vpn server and another 2811 configured as easy vpn client also use pppoe connect to random ip address adsl.
I just want to ask that why the route is remained after i disconnect remote easy vpn.
06-07-2008 01:06 PM
Does it remain after you do:
clear crypto isakmp
clear crypto sa
Regards
Farrukh
06-30-2009 03:49 AM
I am facing the same issue for my easy vpn server and clients.
My Cisco 3825 has an easy vpn server configuration with an ip pool. When one of the client disconnects and his isakmp sa deleted by router itself. The route pointing to the ip pool's ip address is still in routing table!!! This time another vpn client connects and get the same ip pool's ip address. But, this new connected vpn client is located on another interface of the router. So, an extreme problem occur! A route pointing to 2 next hops is created! So bad!
Can another help me? How can I delete the bad route?
Thanks!
Jason Lam
06-30-2009 04:02 AM
Why don't you make two different pools for each interfaces?
Regards
Farrukh
06-30-2009 05:16 PM
Hi Farrukh,
Is it the only way to solve the problem by configuring a unit pool to each subnets?
Thanks!
Jason Lam
06-30-2009 09:29 PM
The IP POOL is local on the router?
Regards
Farrukh
06-30-2009 10:38 PM
Hello all!
I have the same problem. My setup is like:
seriver is 3845 with 12.4(18e). It has pppoe interface with static ip address configured.
easyvpn remote routers (different IOS versions) connect to the server in network extension mode.
Roughly 3 weeks of server uptime I became to lose connection to my remote location. Then I discovered that I got double routes to some (not all) remote location.
clear crypto sa peer and clear crypto isakmp did not help me. I just had to reload my server.
Has anybody seen same behavior?
With best regards
06-30-2009 10:40 PM
Hi Farrukh,
Yes, the IP pool is located in my Cisco 3825 with version c3825-adventerprisek9-mz.124-16b.bin.
Best Regards,
Jason
06-30-2009 10:54 PM
For static peers, I'm aware of a function called Invalid SPI Recovery, documented at:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_ispir.html
But it has a limitation:
"SPI recovery initiates a new IKE SA only for static peers. "
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide