I am trying to set up a pair of 1941 routers in a HA configuration to act as L2L VPN gateways. The active router of the pair should distribute routes to the remote destinations using OSPF to internal routers. The VPN part is working fine and the routers are correctly advertising routes to internal hosts, however my problem is that when an IPsec sessions disconnect, the routes disappear and therefore internal hosts cannot reestablish a connection. If the remote end establishes a connection, the routes appear again and connectivity is restored.
permit ip 10.26.0.0 0.0.255.255 192.168.66.0 0.0.0.255
route-map rmap_ospf_redistribute permit 10000
match ip address acl_ospf_redistribute
The other router in the pair has exactly the same config except with different interface IPs. The remote end is configured to talk to the HA address
The VPN routers are both running IOS version 15.0(1r)M9.
When I initially boot the routers, the route for 192.168.66.0/24 appears in 'show crypto route', and is advertised to neighboring routers. If I ping an address on that network an SA is established and stays active as long as there is traffic flowing.
pvpn02#show crypto route
VPN Routing Table: Shows RRI and VTI created routes Codes: RRI - Reverse-Route, VTI- Virtual Tunnel Interface S - Static Map ACLs
Routes created in table GLOBAL DEFAULT 192.168.66.0/255.255.255.0 [1/0] via 220.127.116.11 tag 0 on GigabitEthernet0/1 RRI S
If I then stop traffic flowing over the tunnel and wait until the IPsec SA lifetime is expired, the route is deleted from the system routing table and therefore not distributed by OSPF. The result is that internal hosts cannot reestablish the tunnel as the other routers have no route to the 192.168.66.0/24 network.
Is this a bug, or is there another way to get the RRI routes to persist on the active router? My understanding of the docs suggests that this should work.
I've attached a log from the active router. It is taken with 'debug crypto ipsec' enabled.
I have the same issue using RRI with RIPv2... When the IPSec lifetime expires, the route is removed so hosts from the internal network cannot join the external one any more I have to run a script which performs ICMP to keep the tunnel up everytime.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...