EZVPN Server (ASA using RRI/OSPF)) failover : Client connectivity isssue

Unanswered Question
Oct 9th, 2008

Hi all,

ASAs configured as EZVPN servers. 2 Of them at Main data center with Active/Stdby (stateful) config. 3rd one at DR datacenter. All runs OSPF and using RRI (Reverse route Injection) so that the EZVPN clients when connects will be learned in the Internal network dynamically.

--> Failover between unts works great. Client networks learned dynamically with no issues.

-->when both units at main location goes down , the cleints connecs to DR location unit (after some period) and the cleint networks learned dynamically via DR site.

The issues is when the client connects to DR site, incase the Primary units comes online, then the client loosing enterprise network access. After some testes it is observed that, as the client subnet (10.199.x.x) being learned dynamically via OSPF: redistribute static subnets command, when the Main site ASA outside interface comes online, even though the client is not connected, the ASA is installing 'STATIC' route in the routing table for client network(10.199.x.x) and populating that network and even though client is connected at that time to DR site, the primary unit distributed client routes are entering in to routing table.

Please find the attached configurations for Main location & DR site ASAs.

Iam planning to open a TAC case on this, but I would like to get some solutions from the Gurus as well. Please find the attached Main & DR location ASA configs.

Client ASA (5505) config:

vpnclient server

vpnclient mode network-extension-mode

vpnclient nem-st-autoconnect

vpnclient vpngroup TEST password **

vpnclient username USER1 password **

vpnclient enable

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mvsheik123 Mon, 10/13/2008 - 18:47

Hi All,

Fyi... issue was due to IOS bug with RRI routes. Upgrading the IOS resolved the issue.

Thank you all



This Discussion