EZVPN Server (ASA using RRI/OSPF)) failover : Client connectivity isssue
ASAs configured as EZVPN servers. 2 Of them at Main data center with Active/Stdby (stateful) config. 3rd one at DR datacenter. All runs OSPF and using RRI (Reverse route Injection) so that the EZVPN clients when connects will be learned in the Internal network dynamically.
--> Failover between unts works great. Client networks learned dynamically with no issues.
-->when both units at main location goes down , the cleints connecs to DR location unit (after some period) and the cleint networks learned dynamically via DR site.
The issues is when the client connects to DR site, incase the Primary units comes online, then the client loosing enterprise network access. After some testes it is observed that, as the client subnet (10.199.x.x) being learned dynamically via OSPF: redistribute static subnets command, when the Main site ASA outside interface comes online, even though the client is not connected, the ASA is installing 'STATIC' route in the routing table for client network(10.199.x.x) and populating that network and even though client is connected at that time to DR site, the primary unit distributed client routes are entering in to routing table.
Please find the attached configurations for Main location & DR site ASAs.
Iam planning to open a TAC case on this, but I would like to get some solutions from the Gurus as well. Please find the attached Main & DR location ASA configs.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :