HI Rao, [Pls RATE if HELPS]
Cisco has declared the Issue to be a BUG. Please read the Complete BUG Report collected from Site:
Please log a new Trouble Ticket with CISCO and identify is your IOS Version c7200p-advsecurityk9-mz.124-15.T3.bin is also Impacted by RRI ?
CSCsm13389 Bug Details
========================
RRI is not called be if QM rekey timer expiry forces SA deletion
Symptoms:
==========
It may be possible for a RRI created route to be left behind even after the
associated IPsec SAs have been removed.
Conditions:
============
It is observed in Cisco IOS 12.2 versions supporting the VPNSM or SPA. This
situation can occur if connectivity is lost between peers prior to an attempted
IPsec (phase 2) SA rekey. If DPD has not detected a failure between the peers
and traffic is not being sent, the first indication that the tunnel is down
will occur when a rekey is required. Once the rekey timers have expired the
old SAs are removed, but RRI was not being called in this scenario.
Workaround:
============
Use DPD in such a way as to know if a tunnel is down prior to needing a rekey.
Aggressive rekey intervals on links with questionable reliability is not
recommended
Related Bug Information
=========================
RRI route stay in routing table even IPSEC SA deleted.
Symptoms:- RRI route is not deleted from routing table even IPSEC SAs are not active. Condition:- It is being observed in 6500/7600 running 12.2SRA code when using dynamic crypto map in 6500/7600 configuration doesn't delete RRI route even Phase 2 SAs are deleted..
Workaround:- "Clear crypto session" clears the RRI route from routing table.
Hope I am Informative
PLS RATE if HELPS => Use the RATING System
Best Regards,
Guru Prasad R