Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Issues with static removing itself using RRI

Hi all,

I'm running into an issue where my headend vpn router is removing static on its own even though the ipsec tunnel is still up. It drops randomly (I have had it disappear in 15 mins or 4 hours later) and what's odd is that it will re-add the static on its own at random times (again like 15 mins after it drops or 4 hours after it drops, very random). Clearing the tunnel does not restore the static. Clearing the config and re-adding will however but obviously this is not a good solution. I can confirm the tunnel is still up but doing a show crypto ipsec sa and I see the tunnel is still there.

The design and config is pretty simple. One headend vpn router (3825 runnign 12.4 IOS) and one remote router (871 router) configured for lan to lan. The crypto map on the headend router is using reverse-route subcommand to inject statics when the tunnel is up.

Headend router

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2 
lifetime 3600

crypto isakmp key SOMEKEY address

crypto isakmp keepalive 60 periodic

crypto ipsec transform-set Remote-Office-TS esp-aes 256 esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps

crypto map WAN_VPN client configuration address respond

crypto map WAN_VPN 50 ipsec-isakmp
description REMOTE

set peer

set transform-set Remote-Office-TS

  match address 100


Any ideas?

Everyone's tags (2)
Cisco Employee

Re: Issues with static removing itself using RRI

Change the "reverse-route" to "reverse-route static", that would make sure that the redistributed static route is always there.

The keyword "static" is normally used for static LAN-to-LAN crypto/tunnel.

Here is the URL for your reference if you are interested:

Hope that helps.

New Member

Re: Issues with static removing itself using RRI

Thats for the recommendation. What do you mean by static will always be there? So if the ipsec tunnel comes down the route would remain in place?

Cisco Employee

Re: Issues with static removing itself using RRI

Correct, even if the tunnel is down, it will always be there as it is taking the crypto ACL as the route to be redistributed.

New Member

Re: Issues with static removing itself using RRI

Ah, I should have mentioned that I can't have that since I have a backup router in a different location. I'm redistributing statics into eigrp so the remote office route will appear in one of two locations depending where the tunnel is going to at the moment.