Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Reverse route injection

My senerio involves two new connections to a partner that requires automatic failover.

First connection is an IPSEC tunnel using an ASA 5585X. Easy enough and I'm planning on using reverse route injection for this. I've used them for all of our VPN tunnels and it works great. The ASA participates in EIGRP, so no issues redistributing that route to the rest of the network.

Second connection is a direct connection from one of my other sites with a direct connection to one of the partner's firewalls. That connection is an 80 Mbit static route that's being redistributed into EIGRP.

My question though is how do I prefer the second connection if the VPN tunnel is unable to connect for an extended amount of time, other than disabling RRI while the connection is down.

Hall of Fame Super Blue

Re: Reverse route injection

That's the main issue with RRI ie. the routes are advertised whether or not the tunnel is up and being used so you have no way of preferring those routes but then overriding them if the tunnel is not up.

So whatever you do with the metrics etc, it just won't work.

What you could do although it may not be a solution is -

1) configure a static route for the remote VPN network on the ASA and track that route. If the remote end is up then the route is in the routing table and then you can redistribute this into EIGRP and make it the preferred route (if it isn't already) by manipulating the metric

2) if the tracked route fails then it is removed from the routing table and so is no longer redistributed into EIGRP. So the second connection is now used as that is the only EIGRP route available.

3) if the VPN tunnel becomes available again then the route is reinstalled in the ASA routing table and redistributed into EIGRP again.

The downside of this is that the VPN tunnel would be up all of the time because of the tracking and the partner would have to accept pings coming in to their end.

But you need somehow to remove the EIGRP route if the tunnel is down so i can't think of anything else at the moment.