Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1064
Views
10
Helpful
2
Replies

L2L static routes stuck in the ASA routing table.

albert_coll
Level 1
Level 1

‎10-28-2009 02:53 AM

Hello

I'm configuring an ASA V8.2(1) with remote access and L2L IPSec tunnel groups.

I configured inverse route injection to all of them, and i see this behaviour:

When a remote client or L2L establishes an IPSec tunnel, an static route with the remote subnet comes in the ASA routing table. But unlike the remote clients, (in which the static route vanishes as soon as the tunnel disconnects), in the case of L2L tunnels the static route gets stuck endlessly in the ASA routing table despite the L2L disconnection. This route persistence poses a design problem for me:

An organization plans to deploy two ASA, each one in different Data Centers with different global ip addresses. The L2L remote routers will also include the two IP address of both ASA so that they will connect recursively to the second IP in case of failure of the first one, providing thereby high availability.

To make it work, every ASA should announce by OSPF to the intranet the L2L learnt static routes by redistributing them.

But If the ASA of the first data center ceases to get internet access due to an ISP problem or whatever, it will keep announcing by OSPF the stuck static routes learned from previous L2L sessions, leading to a routing failure because two ASA would announce the same L2L routes.

Does somebody have any suggestion ot overcome this problem ?

Kind regards.

Labels:
0 Helpful
2 Replies 2

Collin Clark
VIP Alumni
VIP Alumni

‎10-28-2009 07:12 AM

I don't have my copy in from of me, but the following book is good at design considerations with VPNs-

http://www.amazon.com/IPSec-VPN-Design-Vijay-Bollapragada/dp/1587051117/ref=sr_1_7?ie=UTF8&s=books&qid=1256739098&sr=8-7

Hope it helps.

0 Helpful

albert_coll
Level 1
Level 1

‎11-02-2009 09:11 AM

I post my self answer to my problem just for reference to anyone else.

Solution:

The L2L tunnels in the ASA were defined as "bidirectional":

They should be defined as Answer-only. Conversely, the remote routers should be configured as originate-only.

When in Answer-only, the ASA boxes remove the reverse injection static route from the routing table as soon as the remote L2L disconnects.

(If in "bidirectional" the remote route stucks in the ASA routing table forever since the first time the tunnel is established)

Customers Also Viewed These Support Documents