Hi guys,

Im having problems routing between two vrf-lite instances on two ASR 1001 routers. I have separated my networks using a single vrf to isolate one network, the rest of the connected networks still belong in the global routing table. My problem seems to stem from the fact that I don't have connectivity between the two vrf's on either router when I use a route leak to add the WAN interface of each router as a default gateway. The route appears in the vrf routing table but so far I have been unable to ping across the link. Debug IP icmp doesn't show any output at the console when I run a ping test, and I can't work out why! I think this may be related to the way the VPN tunnels were configured on both routers, but they are not configured in a way that i'm used to so I can't prove this. I would be very grateful for any help!

Thanks all.

Configs:

Router 1:

crypto isakmp policy 5

encr aes 256

authentication pre-share

group 14

crypto isakmp key * address 10.204.7.30

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set RTR-IPSEC esp-aes esp-sha-hmac

!

crypto ipsec profile VTI

set transform-set RTR-IPSEC

!

!

interface Tunnel0

ip unnumbered GigabitEthernet0/0.4094

tunnel source GigabitEthernet0/0.4094

tunnel mode ipsec ipv4

tunnel destination 10.204.7.30

tunnel path-mtu-discovery

tunnel protection ipsec profile VTI

!

!

ip vrf RED

description RED

rd 885:885

!

!

interface GigabitEthernet0/0.4094

description 100Mb/s ETHERFLOW TO ROUTER2

bandwidth 100000

encapsulation dot1Q 4094

ip address 10.204.7.25 255.255.255.248

service-policy output POLICY_ETHERFLOW_SHAPING_100M

!

interface GigabitEthernet0/2

description SHUTDOWN

ip vrf forwarding RED

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/2.885

description r1-users

encapsulation dot1Q 885

ip vrf forwarding RED

ip address 10.212.25.254 255.255.254.0

no cdp enable

!

interface GigabitEthernet0/2.886

description r1-phones

encapsulation dot1Q 886

ip vrf forwarding RED

ip address 10.212.27.254 255.255.254.0

no cdp enable

!

interface GigabitEthernet0/2.887

description r1-printers

encapsulation dot1Q 887

ip vrf forwarding RED

ip address 10.212.28.254 255.255.255.0

no cdp enable

ip route vrf RED 0.0.0.0 0.0.0.0 Tunnel0 10.204.7.30 global

Router 2:

crypto isakmp policy 5

encr aes 256

authentication pre-share

group 14

crypto isakmp key * address 10.204.7.25

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set RTR-IPSEC esp-aes esp-sha-hmac

mode tunnel

!

crypto ipsec profile VTI

set transform-set RTR-IPSEC

!

interface Tunnel3

ip unnumbered GigabitEthernet0/0/0.4092

tunnel source GigabitEthernet0/0/0.4092

tunnel mode ipsec ipv4

tunnel destination 10.204.7.25

tunnel path-mtu-discovery

tunnel protection ipsec profile VTI

!

ip vrf RED

description RED

rd 3:3

!

interface GigabitEthernet0/0/0.4092

description 100Mb/s ETHERFLOW TO R1

bandwidth 100000

encapsulation dot1Q 4092

ip address 10.204.7.30 255.255.255.248

service-policy output POLICY_ETHERFLOW_SHAPING_100M

!

interface GigabitEthernet0/0/3

description link to user switch

ip vrf forwarding RED

ip address 10.212.22.1 255.255.255.248

negotiation auto

!

ip route vrf RED 0.0.0.0 0.0.0.0 Tunnel3 10.204.7.25 global