Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

reverse route injection

So, I've got a crypto map with a dynamic peer and wildcard psk. The default route on the vpn headend points to the corporate lan, not the internet. So, I'd like to use rri to automatically create a route to the remote peer based on the peer dns lookup. So, I've done the following and rri does not seem to work. Although, if I add a static to the peer ip it does work. Any ideas? IOS is 12.4(25b). Am I missing something regarding the operation of rri? To quote Cisco literature on the subject, rev rem should create two routes. "The first route is to the destination-protected subnet via the remote tunnel endpoint. The second route specifies the next hop to be taken to reach this tunnel endpoint." It seems that the second route is not being created.

ip route [lanRouter]

cry map bla 10 ipsec-isa

set peer dynamic

rev rem [internetRouter]

ip route [] [internetRouter] (add this and it works)

Cisco Employee

Re: reverse route injection


Your understanding of RRI is correct. With your configuration, RRI should add a second static host route to the peer address pointing out the egress interface where crypto map is applied. However, in practice, unless your egress link is a p2p interface, we always recommend you use "reverse-route remote-peer [internetRouter_ip_address]" to avoid incomplete adjacency issues. As a matter of fact, the command "reverse-route remote-peer (without a next-hop ip) has been deprecated in IOS 12.4(15)T and later.



New Member

Re: reverse route injection

Thanks for the info. I am including the next hop in rev rem command usage. I am a bit stumped as to why it is not working. No results in bug toolkit for this issue. Opened a tac case.

CreatePlease to create content