Reverse Route Injection on ASA5505 *

Roberto Kippins · ‎02-20-2015

Hi all, I uploaded a sample topology to better explain what I want to do, from the topology attached I have two ASA5505s configured for site to site vpn, ASA2 has a direct tunnel to Site C while ASA1 passes through SITE B to get to C and I configured reverse route injection on both site A firewalls and I redistributed Site C subnets into the EIGRP AS1 at Site C but I used a slightly lower metric on ASA1 so that route through this firewall is a feasible successor , what I noticed is that ASA 2 stops redistributing the Site C routes when I shut down the outside vlan and the routes automatically switch to the feasible successor. I would like this similar convergence to happen if the isp for ASA2 goes down, my question is can this be done?

guibarati · ‎02-20-2015

It should happen. If the VPN is down, the subnet should withdraw.

It may be happening that the ASA is not "noticing" that the VPN is down. You can try to use DPD or something so the ASA will notice the vpn is down.

Kamal Malhotra · ‎02-21-2015

If the ISP goes down then the route might not go away as the route added via RRI for a static site to site tunnel is of permanent nature. So unless the interface goes down, the route should remain there. You could probably try SLA to track the reachability and add a track to EIGRP.

Roberto Kippins · ‎02-21-2015

Kamal, this is correct we have a /30 subnet on one vlan to the isp and then our subnet on another vlan where the asa is plugged in so I shutdown the /30 vlan adn the tunnel immediately went down, but when did a show ip route eigrp on my internal l3 switches the eigrp external routes was still there using the main firewall as the sucessor, I dont think the asa have much options for routing I noticed that I am limited as to waht i can do with route-maps on the asa but I will figure something out.