Cisco Support Community
Community Member

Disappearing IPsec routes with RRI

Hi all,

I am trying to set up a pair of 1941 routers in a HA configuration to act as L2L VPN gateways. The active router of the pair should distribute routes to the remote destinations using OSPF to internal routers. The VPN part is working fine and the routers are correctly advertising routes to internal hosts, however my problem is that when an IPsec sessions disconnect, the routes disappear and therefore internal hosts cannot reestablish a connection. If the remote end establishes a connection, the routes appear again and connectivity is restored.

My setup is as follows:

(ASA) --> (pvpn01 & pvpn02 HA pair) --> (internet) --> (remote peer)

Relevant sections from my config:

ipc zone default

association 1

  no shutdown

  protocol sctp

   local-port 5000


    retransmit-timeout 300 10000

    path-retransmit 10

    assoc-retransmit 10

   remote-port 5000


track 1 interface GigabitEthernet0/1 line-protocol

track 2 interface GigabitEthernet0/0 line-protocol

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2 

lifetime 600

crypto isakmp key xxxxxx address

crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac

crypto map outsidemap 10000 ipsec-isakmp

set peer

set security-association lifetime seconds 600

set transform-set aes-sha

match address vpn_ospftest_acl

reverse-route static

interface GigabitEthernet0/0

ip address

no ip proxy-arp

ip verify unicast reverse-path

ip ospf message-digest-key 1 md5 xxxxxxx

duplex auto

speed auto

interface GigabitEthernet0/1

description outside

ip address

no ip proxy-arp

ip verify unicast reverse-path

standby delay minimum 120 reload 120

standby 1 ip

standby 1 preempt

standby 1 authentication md5 key-string xxxxxxx

standby 1 name pvpn_external

standby 1 track 2 decrement 10

ip ospf message-digest-key 1 md5 xxxxxxx

duplex auto

speed auto

crypto map outsidemap redundancy pvpn_external stateful

router ospf 1


no compatible rfc1583

log-adjacency-changes detail

area 0 authentication message-digest

redistribute static subnets route-map rmap_ospf_redistribute

network area 0

network area 0

ip route

ip route

ip access-list standard acl_osfp_redistribute


ip access-list extended vpn_ospftest_acl

permit ip

route-map rmap_ospf_redistribute permit 10000

match ip address acl_ospf_redistribute

The other router in the pair has exactly the same config except with different interface IPs. The remote end is configured to talk to the HA address

The VPN routers are both running IOS version 15.0(1r)M9.

When I initially boot the routers, the route for appears in 'show crypto route', and is advertised to neighboring routers. If I ping an address on that network an SA is established and stays active as long as there is traffic flowing.

pvpn02#show crypto  route

VPN Routing Table: Shows RRI and VTI created routes
Codes: RRI - Reverse-Route, VTI- Virtual Tunnel Interface
        S - Static Map ACLs

Routes created in table GLOBAL DEFAULT [1/0] via tag 0
                                on GigabitEthernet0/1 RRI  S

If I then stop traffic flowing over the tunnel and wait until the IPsec SA lifetime is expired, the route is deleted from the system routing table and therefore not distributed by OSPF. The result is that internal hosts cannot reestablish the tunnel as the other routers have no route to the network.

Is this a bug, or is there another way to get the RRI routes to persist on the active router? My understanding of the docs suggests that this should work.

I've attached a log from the active router. It is taken with 'debug crypto ipsec' enabled.

Thanks in advance,


Cisco Employee

Disappearing IPsec routes with RRI

Hi David,

it sounds like you are hitting a bug, possibly this one:

CSCtr87413    RRI static Route disappear after receiving delete notify and DPD failure

Note that 15.0(1r)M9 is not your IOS version, the "r" means this is the bootstrap version.

Also notet that the bug mentioned above affects 15.0 as well as 15.1 but is only fixed in 15.1(4)M3 and later (and supposedly, 15.2 is not affected).



Community Member

Disappearing IPsec routes with RRI


I have the same issue using RRI with RIPv2...
When the IPSec lifetime expires, the route is removed so hosts from the internal network cannot join the external one any more
I have to run a script which performs ICMP to keep the tunnel up everytime.

Any other solution would be appreciated

PS : The peers are ASA and 881 router


CreatePlease to create content