Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
987
Views
0
Helpful
0
Comments

The VPN 3000 Series Concentrator does not flush routes properly for EZVPN clients

TCC_2
Level 10
Level 10

on ‎06-22-2009 06:12 PM

Core issue

This issue usually occurs when routes are learned through a routing protocol, Reverse Route Injection (RRI) or Network Discovery, once the LAN-to-LAN tunnel is active.


When the VPN 3030 public interface fails, routes from remote EZVPN peers (in network extension mode) are removed properly.  At this point, remote EZVPN peers re-home to an alternate concentrator. If the concentrator that lost its public interface regains it, the routes from the formerly attached peers are re-entered into the routing table.

Note: This problem can cause an outage.

Resolution

In order to resolve this issue, perform these workarounds:

Set shorter keepalives to shorten the time lag. Go to Configuration > User Management > Group in order to set this value.

When the public port is administratively disabled, the dynamic routes do not drop immediately. They only drop after the concentrator has verified that the tunnel is not there any more. When the port is physically unplugged, the dynamic routes are removed much sooner. Something in the way the concentrator is designed to cause the concentrator to act differently, depending on whether if the port is physically disconnected or only in admin shutdown.

Refer to User management for additional help.

Problem Type

Troubleshoot software feature

Product Family

VPN - 3000 series concentrator

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents