Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

RRI, why doesn't it work without it ...

Hi there,

I've got a Concentrator(3015, 4.7.2.G) to ASA (5505, 8.0(2)) IPSec L2L connection.


The encryption domain is set to 192.168.14/24 <-> 10.10.20/24. The IPSec SAs are negotiated correctly.

Trying to ping from ASA(inside) to the Concentrator(inside), puts some packets into the tunnel (shown on both devices session info) but the Concentrator doesn't send anything back.

After enabling Reverse Route Injection, the ASA's ping is answered. But packets from a host within the Concentrators Inside network are send to the ASA and are decrypted there (showing an "recv error" per decrypted packet) but now there's no answer back.

I'm confused (and tired ;-), why do I have to enable RRI? What has to be done on the ASA (RRI, too?)? Is it possible to avoid RRI completely in this scenario?

Many thanks for any comment,


CreatePlease login to create content