cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
658
Views
0
Helpful
1
Replies

EZVPN Server (ASA using RRI/OSPF)) failover : Client connectivity isssue

mvsheik123
Level 7
Level 7

Hi all,

ASAs configured as EZVPN servers. 2 Of them at Main data center with Active/Stdby (stateful) config. 3rd one at DR datacenter. All runs OSPF and using RRI (Reverse route Injection) so that the EZVPN clients when connects will be learned in the Internal network dynamically.

--> Failover between unts works great. Client networks learned dynamically with no issues.

-->when both units at main location goes down , the cleints connecs to DR location unit (after some period) and the cleint networks learned dynamically via DR site.

The issues is when the client connects to DR site, incase the Primary units comes online, then the client loosing enterprise network access. After some testes it is observed that, as the client subnet (10.199.x.x) being learned dynamically via OSPF: redistribute static subnets command, when the Main site ASA outside interface comes online, even though the client is not connected, the ASA is installing 'STATIC' route in the routing table for client network(10.199.x.x) and populating that network and even though client is connected at that time to DR site, the primary unit distributed client routes are entering in to routing table.

Please find the attached configurations for Main location & DR site ASAs.

Iam planning to open a TAC case on this, but I would like to get some solutions from the Gurus as well. Please find the attached Main & DR location ASA configs.

Client ASA (5505) config:

vpnclient server 64.2.16.8 67.97.3.9

vpnclient mode network-extension-mode

vpnclient nem-st-autoconnect

vpnclient vpngroup TEST password **

vpnclient username USER1 password **

vpnclient enable

1 Reply 1

mvsheik123
Level 7
Level 7

Hi All,

Fyi... issue was due to IOS bug with RRI routes. Upgrading the IOS resolved the issue.

Thank you all

MS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: