EasyVPN :redundant head end servers recomendation for Hardware clients

Unanswered Question
Aug 21st, 2008

Hi All,


ASA5510 acting as EasyVPN server with static routes to inside networks (at various locations). No routing protocol on EasyVPn server. Pure static routes. The group & users list also Local to Server ASAs. Clients at homeoffice has 5505 as VPNclient (with NEM enabled) and everything works fine.

Iam lookig for a solution to add another EasyVPN server (ASA5510) at aother location, so that incase the primary server goes down, the client ASAs can go for the backup server. As we are using static routes to reach remote home office users (each remote location has /24 subnet assigned), Iam looking for better way to implement it.

I did some research, and looks like I need to go with RRI on Server ASAs (and take out all the static routes) , enable OSPF & redistribute static. Will it work that way. Any suggestions and any useful links with sample configs..?

Thank you in advance


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
dhananjoy chowdhury Thu, 08/21/2008 - 08:39

Yes, RRI on the EazyVPN server in this case would help.

If RRI is enabled, Whenever a NEM client connects the EazyVPN server puts a static route entry in its local routing table. Now if you are redistributing static in OSPF, then the routers running OSPF behind your EazyVPN server learns the routes dynamically for the subnets behind all the NEM clients.

And when a NEM client gets disconnected the route is automatically removed.

So as your number of NEM clients grow , you need not manually add static routes on all your devices.

mvsheik123 Thu, 08/21/2008 - 08:57


Thank you for the quick reply.Adding client routes is not an issue for me, as I simply used the summary route like --> Server ASA inside interface. So client deployment is eazy.

My concern is if I have 2 server ASAs at 2 different locations...

1.learning internally each location via OSPF, incase when the primary ASA goes down, will the client be able to connect to second server ASA and can reach all the internal networks when RRI enabled..?

2. Also when both ASAs are up & running, will there be any issues in routing with RRI enabled on the internal networks..?

3. Any sample config links for enabling RRI on ASA ?

Thank you


mvsheik123 Thu, 08/21/2008 - 09:12

Apologies..forgot the main question.. using the RRI feature, do I still need 'nonat' ACL and split-tunnel ACL on the server ASA..?

Thank you


mvsheik123 Thu, 08/21/2008 - 13:17


I have tested with a sample config with RRI enabled, as works fine. You definitely need 'nonat' and split-tunneling (if decided to use)configs. I used 'object-group' feature for that , so it is easy to manage. Another point observed was, on the Server ASA end, for OSPF config we need to use

'redistribute static subnets' without 'subnet' key word, the client subnet not advetising into OSPF AS.

Thank you



This Discussion