I'm struggle with my VPN configuration hope someone can me point in the right direction.
I configured my VPNs to use my WAN primary and WAN backup link this is not the problem. The problem is that I can't use RRI anymore because I get this error msg:
Crypto map associated with multiple interfaces. Cannot enable rr
So what I can do? Must I add two static routes manually with different metrics. Or is there another better solution because I have 30 vpn sites when I have to add two routes for every vpn site I have 60 route entries.
I will try to explain it more detailed. We implement a second internet line (ISP2). Now it is not possible to use RRI in the VPN settings because of multiple interfaces. So I think I have to options, first one is to set a route like this
<192.168.0.0/16 gateway ISP1> and <192.168.0.0/16 gateway ISP2> and enable route tracking on the ASA to use the dual ISP scenario. Could work. Second option is to add every remote network into the static routing and enable also for each static route route tracking. Could work but it is not very comfortable. What is best practise to avoid a large static routing table?
Also my second problem is that ISP3 is running EIGRP to the ASA, works perfect. But when I use a static 192.168.0.0/16 route how I can redistribute single networks like 192.168.200.0/24 into the EIGRP process? I think that can only work if I add all remote networks into the static routing and then I can redistribute the networks into EIGRP. Is this correct? Below you will find a small network diagramm to have an overview.
Whenever I've had to deal with this kind of active/passive scenario that you describe, I've simply made a duplicate of the crypto map and assigned it to the secondary interface and enabled RRI on both. Then it's just a matter of using IP SLA to track the default route for ISP1 and ISP2.
thanks to point me in the right direction. I tested the config in our map and it is working. But when I enable RRI in both crypto maps and and have a look into the route table, I see that only the route to ISP1 is available.
192.168.2.0 255.255.255.0 [1/0] via 18.104.22.168, wan_primary
So RRI is not switching over to ISP2 if failover occurs. Any thoughts?
Please can you elaborate on this. If you have both interfaces enabled for IPSEC access, then the crypto maps that are created get automatically assigned to those interfaces so there is no need to duplicate them. If you delete one of the two identical crypto maps (separate interfaces), the ASA deletes them both for both interfaces. Hence, I am unable to RRI on the crypto maps.
Any feedback would be very much appreciated as I am having the same issue.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :