Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3350
Views
5
Helpful
9
Replies

ASA 9.4 RRI (reverse route injection) doesn't work

Igor Mordiuk
Level 1
Level 1

‎07-16-2015 06:23 AM - edited ‎03-11-2019 11:16 PM

Hi to all.

After replacing old ASA with ASA-5515 (9.4(1)) I faced with the problem concerning RRI (reverse rout injection).

I noticed that ASA doesn't insert route in routeing table when vpn-tunnels become up.

crypto map office 1 match address ipsec2office
crypto map office 1 set pfs
crypto map office 1 set peer 10.1.1.1
crypto map office 1 set ikev1 transform-set AES
crypto map office 1 set reverse-route

Also I checked release note for 9.4 and found no relative bugs.

 

Any ideas?

4 people had this problem
Labels:
0 Helpful
9 Replies 9

Igor Mordiuk
Level 1
Level 1

‎07-20-2015 12:02 AM

UP!

0 Helpful

Igor Mordiuk
Level 1
Level 1
In response to Igor Mordiuk

‎07-24-2015 01:52 AM

UP

0 Helpful

scottrobertson2ctr
Level 1
Level 1

‎08-17-2015 02:36 PM

I recently upgraded to same code version on my pair of ASA 5525x active - active multi context firewalls. I noticed after a shutdown and restart of the firewalls RRI no longer injected the remote VPN routes into my firewall routing tables. Once I removed the crptyo map statements to enable RRI and then re- enabled the RRI feature the routes returned and correctly distributed the routes from my L2L IKEv2 VPN firewall to my other firewall contexts running on these physical firewall pairs. I did not see this before the upgrade to Image 9.4(1). I was previously running 9.1.(3) code.

 

I believe this may be a bug in this version of code aka 9.4(1).

 

Can anyone else experiencing this RRI issue confirm this behavior ?

 

 

Regards,

 

Scott Robertson

 

Vladimir Shoinbayev
Level 1
Level 1

‎01-11-2016 10:27 PM

https://tools.cisco.com/bugsearch/bug/CSCth58083/?referring_site=bugquickviewredir

Known Affected Releases:     8.3(1)

I see the same behaviour on 9.5(1)

funny part is solution: "add a static route for the VPN pool", but it should work

0 Helpful

Igor Mordiuk
Level 1
Level 1
In response to Vladimir Shoinbayev

‎01-11-2016 11:52 PM

According to this bug you should use OSPF. In my case I don't. 

0 Helpful

Vladimir Shoinbayev
Level 1
Level 1
In response to Igor Mordiuk

‎01-13-2016 05:58 AM

I believe it's not a problem with OSFP or any dynamic routing or redistribution at all.

I'm using EIGRP and after failover switching VPN routes disapear from routing tables (like a static routes) so there are nothing to redistribute.

I've made a static routes to outside interface and problem is gone because static routes in the routing table (while outside is up)

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-13-2016 12:49 AM

I have had nothing but problems with 9.4(x).  I would avoid it.

0 Helpful

fred.weston
Level 1
Level 1

‎05-17-2016 04:52 PM

Also having this problem after updating to 9.4.  Is there a solution other than using static routes?

0 Helpful

manojmaharjan
Level 1
Level 1

‎09-04-2016 03:58 AM

Faced same issue of RRI in ASA 5505 with 9.2.4.
reissuing the command for reverse-route works till reload.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card