I have a site to site flexvpn configuration that is working with fvrf at the hub's end on a 2921 with no vrf provisioned on the spoke's end. When I configure the vrf on the spoke it seems as if the hub doesnt add the static route of the ip address it assigned to the tunnel. I am using bgp to exchange the routes, and my authorization profile has the route set interface which worked fine before the vrfs were added.
I can not find any examples of a fvrf on spokes, my goal is to backhaul all internet traffic for one of the spokes and using the vrf to establish the tunnel. If that doesnt work then I may end up using route-maps.
I will post the relevant configs when I put everything back in a failed state.
Here is some of the information from my configuraiton, I would like to have all my bgp routes advertised in the global routing table while the interface connected to the public network is in its own vrf in my example test, basically I am looking for a fvrf scenario that works fine on the remote end. The hub is 2921 and the spoke is an 891.
ip vrf forwarding test
ip address dhcp
ip address negotiated
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0
tunnel destination 18.104.22.168
tunnel vrf test
tunnel protection ipsec profile default
crypto ikev2 proposal test
crypto ikev2 policy test
match fvrf any
crypto ikev2 profile default
match fvrf any
match identity remote fqdn domain mydomain.com
match certificate MYMAP
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint IOS-CA
dpd 10 2 periodic
nat keepalive 5
aaa authorization group cert list default default
crypto ipsec profile default
set ikev2-profile default
The issue seems to the hub isnt setting the static route for the ip address it assigns to the tunnel interface on the spoke. I am trying to understand this a little better to see what is breaking, however you can see here that the routes from the spoke are added just fine. 10.252.192.2 is the unnumbered interface for my virtual-template for the hub end.
I ran the debugs on the both ends and the hub is not adding the route after it issues the ip address to the spoke tunnel interface. I will try to upgrade the code to see if that fixes any issue since there isnt a bug that I found in the release notes.
Thanks for your help, I am working with TAC and the issue seems to be with the routing when the configs are exchanged. The routing table on the spoke was not showing the tunnel ip address on the remote end as directly connected, instead it showed it connected through the 0.0.0.0 route which was on the fvrf. I upgraded the image to 15(3)3 and the problem went away. When I get the details of the bug I will circle back and post on this thread.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...