Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
212
Views
0
Helpful
2
Replies

IOS RRI bugs (?)

ovt
Level 4
Level 4

‎01-19-2003 01:35 AM - edited ‎03-09-2019 01:44 AM

Hi!

Does anybody run RRI on IOS routers successfully?

It seems the implementation is full of bugs: every time the same VPN client

reconnects it is given a new IP address from the local pool. Old /32 static

route is not removed. Cloned crypto map record is not removed also.

Is it possible to work around this?

Also, if the same interface terminates remote VPN clients and IPSec+GRE

site-to-site tunnels RRI adds static /32 route to the VPN client via ALL

interfaces with crypto map applied: serial, tunnel 0, tunnel 1, ..., etc. (by

unclear design one should apply the crypto map to both physical *and*

tunnel interfaces).

Again, is it possible to work around this?

Oleg Tipisov,

REDCENTER,

Moscow

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎01-19-2003 09:37 PM

The VPN concentrator had this problem of not removing the route after a disconnect, but haven't heard about it on IOS, maybe someone else on this list has.

Can you enable "debug cry ipsec" and "debug cry isa" when the client disconnects, we should be able to see whether the route is removed or not. How are the clients disconnecting, we need to make sure the IPSec SA is not being stranded? Can you include a "sho ip route" and a "sho cry isa peer" after the client connects, then again when it disconnects?

The "client route being added to all interfaces with the crypto map applied" is bug ID CSCdw38881, still being worked on.

0 Helpful

ovt
Level 4
Level 4
In response to gfullage

‎01-20-2003 10:03 AM

Thank you for the replay.

I saw the problem of not removing the static route in 12.2(8)T. Could not

reproduce it in 12.2(11)T2 yesterday :(

Glenn, your answers are always very useful, could you please answer my

question titled "sysopt connection permit-ipsec and ACL" (VPN/Security

forum)?

Oleg Tipisov,

REDCENTER,

Moscow

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents