cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
525
Views
0
Helpful
4
Replies

Issues with static removing itself using RRI

jack.leung
Level 1
Level 1

Hi all,

I'm running into an issue where my headend vpn router is removing static on its own even though the ipsec tunnel is still up. It drops randomly (I have had it disappear in 15 mins or 4 hours later) and what's odd is that it will re-add the static on its own at random times (again like 15 mins after it drops or 4 hours after it drops, very random). Clearing the tunnel does not restore the static. Clearing the config and re-adding will however but obviously this is not a good solution. I can confirm the tunnel is still up but doing a show crypto ipsec sa and I see the tunnel is still there.

The design and config is pretty simple. One headend vpn router (3825 runnign 12.4 IOS) and one remote router (871 router) configured for lan to lan. The crypto map on the headend router is using reverse-route subcommand to inject statics when the tunnel is up.

Headend router

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2 
lifetime 3600

crypto isakmp key SOMEKEY address 99.99.99.99

crypto isakmp keepalive 60 periodic

crypto ipsec transform-set Remote-Office-TS esp-aes 256 esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps

crypto map WAN_VPN client configuration address respond

crypto map WAN_VPN 50 ipsec-isakmp
description REMOTE

set peer 99.99.99.99

set transform-set Remote-Office-TS

  match address 100

reverse-route

Any ideas?

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

Change the "reverse-route" to "reverse-route static", that would make sure that the redistributed static route is always there.

The keyword "static" is normally used for static LAN-to-LAN crypto/tunnel.

Here is the URL for your reference if you are interested:

http://www.cisco.com/en/US/partner/docs/ios/12_3t/12_3t14/feature/guide/gt_rrie.html

Hope that helps.

Thats for the recommendation. What do you mean by static will always be there? So if the ipsec tunnel comes down the route would remain in place?

Correct, even if the tunnel is down, it will always be there as it is taking the crypto ACL as the route to be redistributed.

Ah, I should have mentioned that I can't have that since I have a backup router in a different location. I'm redistributing statics into eigrp so the remote office route will appear in one of two locations depending where the tunnel is going to at the moment.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: