Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Reverse route injection (RRI) problem

I am faceing the problem in RRI

My SA has deleted but still my RRI route is the routing table



Re: Reverse route injection (RRI) problem

HI Rao, [Pls RATE if HELPS]

Cisco has declared the Issue to be a BUG. Please read the Complete BUG Report collected from Site:

Please log a new Trouble Ticket with CISCO and identify is your IOS Version c7200p-advsecurityk9-mz.124-15.T3.bin is also Impacted by RRI ?

CSCsm13389 Bug Details


RRI is not called be if QM rekey timer expiry forces SA deletion



It may be possible for a RRI created route to be left behind even after the

associated IPsec SAs have been removed.



It is observed in Cisco IOS 12.2 versions supporting the VPNSM or SPA. This

situation can occur if connectivity is lost between peers prior to an attempted

IPsec (phase 2) SA rekey. If DPD has not detected a failure between the peers

and traffic is not being sent, the first indication that the tunnel is down

will occur when a rekey is required. Once the rekey timers have expired the

old SAs are removed, but RRI was not being called in this scenario.



Use DPD in such a way as to know if a tunnel is down prior to needing a rekey.

Aggressive rekey intervals on links with questionable reliability is not


Related Bug Information


RRI route stay in routing table even IPSEC SA deleted.

Symptoms:- RRI route is not deleted from routing table even IPSEC SAs are not active. Condition:- It is being observed in 6500/7600 running 12.2SRA code when using dynamic crypto map in 6500/7600 configuration doesn't delete RRI route even Phase 2 SAs are deleted..

Workaround:- "Clear crypto session" clears the RRI route from routing table.

Hope I am Informative

PLS RATE if HELPS => Use the RATING System

Best Regards,

Guru Prasad R

CreatePlease to create content