I'm configuring an ASA V8.2(1) with remote access and L2L IPSec tunnel groups.
I configured inverse route injection to all of them, and i see this behaviour:
When a remote client or L2L establishes an IPSec tunnel, an static route with the remote subnet comes in the ASA routing table. But unlike the remote clients, (in which the static route vanishes as soon as the tunnel disconnects), in the case of L2L tunnels the static route gets stuck endlessly in the ASA routing table despite the L2L disconnection. This route persistence poses a design problem for me:
An organization plans to deploy two ASA, each one in different Data Centers with different global ip addresses. The L2L remote routers will also include the two IP address of both ASA so that they will connect recursively to the second IP in case of failure of the first one, providing thereby high availability.
To make it work, every ASA should announce by OSPF to the intranet the L2L learnt static routes by redistributing them.
But If the ASA of the first data center ceases to get internet access due to an ISP problem or whatever, it will keep announcing by OSPF the stuck static routes learned from previous L2L sessions, leading to a routing failure because two ASA would announce the same L2L routes.
Does somebody have any suggestion ot overcome this problem ?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...