Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ovt Bronze
Bronze

IOS RRI bugs (?)

Hi!

Does anybody run RRI on IOS routers successfully?

It seems the implementation is full of bugs: every time the same VPN client

reconnects it is given a new IP address from the local pool. Old /32 static

route is not removed. Cloned crypto map record is not removed also.

Is it possible to work around this?

Also, if the same interface terminates remote VPN clients and IPSec+GRE

site-to-site tunnels RRI adds static /32 route to the VPN client via ALL

interfaces with crypto map applied: serial, tunnel 0, tunnel 1, ..., etc. (by

unclear design one should apply the crypto map to both physical *and*

tunnel interfaces).

Again, is it possible to work around this?

Oleg Tipisov,

REDCENTER,

Moscow

2 REPLIES
Cisco Employee

Re: IOS RRI bugs (?)

The VPN concentrator had this problem of not removing the route after a disconnect, but haven't heard about it on IOS, maybe someone else on this list has.

Can you enable "debug cry ipsec" and "debug cry isa" when the client disconnects, we should be able to see whether the route is removed or not. How are the clients disconnecting, we need to make sure the IPSec SA is not being stranded? Can you include a "sho ip route" and a "sho cry isa peer" after the client connects, then again when it disconnects?

The "client route being added to all interfaces with the crypto map applied" is bug ID CSCdw38881, still being worked on.

ovt Bronze
Bronze

Re: IOS RRI bugs (?)

Thank you for the replay.

I saw the problem of not removing the static route in 12.2(8)T. Could not

reproduce it in 12.2(11)T2 yesterday :(

Glenn, your answers are always very useful, could you please answer my

question titled "sysopt connection permit-ipsec and ACL" (VPN/Security

forum)?

Oleg Tipisov,

REDCENTER,

Moscow

100
Views
0
Helpful
2
Replies
CreatePlease login to create content