Issues with static removing itself using RRI

Unanswered Question
Apr 12th, 2010
User Badges:

Hi all,

I'm running into an issue where my headend vpn router is removing static on its own even though the ipsec tunnel is still up. It drops randomly (I have had it disappear in 15 mins or 4 hours later) and what's odd is that it will re-add the static on its own at random times (again like 15 mins after it drops or 4 hours after it drops, very random). Clearing the tunnel does not restore the static. Clearing the config and re-adding will however but obviously this is not a good solution. I can confirm the tunnel is still up but doing a show crypto ipsec sa and I see the tunnel is still there.

The design and config is pretty simple. One headend vpn router (3825 runnign 12.4 IOS) and one remote router (871 router) configured for lan to lan. The crypto map on the headend router is using reverse-route subcommand to inject statics when the tunnel is up.

Headend router

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2 
lifetime 3600

crypto isakmp key SOMEKEY address

crypto isakmp keepalive 60 periodic

crypto ipsec transform-set Remote-Office-TS esp-aes 256 esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps

crypto map WAN_VPN client configuration address respond

crypto map WAN_VPN 50 ipsec-isakmp
description REMOTE

set peer

set transform-set Remote-Office-TS

  match address 100


Any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Mon, 04/12/2010 - 20:08
User Badges:
  • Cisco Employee,

Change the "reverse-route" to "reverse-route static", that would make sure that the redistributed static route is always there.

The keyword "static" is normally used for static LAN-to-LAN crypto/tunnel.

Here is the URL for your reference if you are interested:

Hope that helps.

jack.leung@prne... Tue, 04/13/2010 - 04:33
User Badges:

Thats for the recommendation. What do you mean by static will always be there? So if the ipsec tunnel comes down the route would remain in place?

Jennifer Halim Tue, 04/13/2010 - 04:39
User Badges:
  • Cisco Employee,

Correct, even if the tunnel is down, it will always be there as it is taking the crypto ACL as the route to be redistributed.

jack.leung@prne... Tue, 04/13/2010 - 04:49
User Badges:

Ah, I should have mentioned that I can't have that since I have a backup router in a different location. I'm redistributing statics into eigrp so the remote office route will appear in one of two locations depending where the tunnel is going to at the moment.


This Discussion

Related Content