Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

The VPN 3000 Series Concentrator does not flush routes properly for EZVPN clients

Core issue

This issue usually occurs when routes are learned through a routing protocol, Reverse Route Injection (RRI) or Network Discovery, once the LAN-to-LAN tunnel is active.


When the VPN 3030 public interface fails, routes from remote EZVPN peers (in network extension mode) are removed properly.  At this point, remote EZVPN peers re-home to an alternate concentrator. If the concentrator that lost its public interface regains it, the routes from the formerly attached peers are re-entered into the routing table.

Note: This problem can cause an outage.

Resolution

In order to resolve this issue, perform these workarounds:

Set shorter keepalives to shorten the time lag. Go to Configuration > User Management > Group in order to set this value.

When the public port is administratively disabled, the dynamic routes do not drop immediately. They only drop after the concentrator has verified that the tunnel is not there any more. When the port is physically unplugged, the dynamic routes are removed much sooner. Something in the way the concentrator is designed to cause the concentrator to act differently, depending on whether if the port is physically disconnected or only in admin shutdown.

Refer to User management for additional help.

Problem Type

Troubleshoot software feature

Product Family

VPN - 3000 series concentrator

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 06:12 PM
Updated by:
 
Labels (1)