cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1320
Views
0
Helpful
2
Replies

Cisco UC560 Not Clearing Static Routes When VPN Connections Drop

brianemapcorp
Level 1
Level 1

We have a Cisco UC560 (UC560-FXO-K9) running "Cisco IOS Software, UC500 Software (UC500-ADVIPSERVICESK9-M),

Version 15.1(2)T2, RELEASE SOFTWARE (fc1)"  The issue is when we have end users connecting with the Cisco VPN Client to this device sometimes we are unable to connect to any devices on our LAN or sometimes we can't connect to the LAN on the other end of our site-to-site VPN.  The one symptom I've observed when this happens is that old VPN sessions that have disconnected appear to leave static routes from the user's outside IP at their home to an IP on our LAN to a Virtual-Access interface.  When this starts to happen, I restart the firewall to clear out the stale static routes and the problem is fixed, for a while at least.  Below is the current state where we have the site-to-site VPN connected to our branch office and 2 user's connected with Cisco VPN clients.  Below that is the static route table which has 5 total Virtual-Access interface routes (one is an extra route for a user currently connected so that their outside IP is in the static route table with 2 inside IP's associated.)  Is there a way to fix the cleanup of VPN connections when they terminate?


#sh crypto isakmp peers

Peer: <branch office outside IP> Port: 500 Local: <firewall's outside IP>

Phase1 id: <branch office outside IP>

Peer: <users's outside IP #1> Port: 50420 Local: <firewall's outside IP>

Phase1 id: EZVPN_GRP_437

Peer: <user's outside IP #2> Port: 49345 Local: <firewall's outside IP>

Phase1 id: EZVPN_GRP_437



Bugsy#sh ip ro st

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override


Gateway of last resort is <next hop of ISP for firewall> to network 0.0.0.0


S*    0.0.0.0/0 [1/0] via <next hop of ISP for firewall>

      10.0.0.0/8 is variably subnetted, 12 subnets, 3 masks

S        10.0.0.153/32 [1/0] via <non-connected IP of VPN user>, Virtual-Access2

S        10.0.0.155/32 [1/0] via <non-connected IP of VPN user>, Virtual-Access2

S        10.0.0.156/32 [1/0] via <user's outside IP #2>, Virtual-Access3

S        10.0.0.158/32 [1/0] via <user's outside IP #1>, Virtual-Access3

S        10.0.0.159/32 [1/0] via <user's outside IP #2 again>, Virtual-Access2

S        10.1.10.1/32 is directly connected, Vlan90

1 Accepted Solution

Accepted Solutions

Brandon Turpin
Cisco Employee
Cisco Employee

Hi Brian,

This sounds like you are running into the following known issue:

  CSCtl03682 - EzVPN client: Several RRI routes  pointing to same virtual interface

which is Dup'd to:

  CSCtf39056 - RRI routes not deleted

This is fixed since 15.1(2)T4, so I would recommend upgrading to SWP 8.2 or higher.  The only other way to clean up the stuck routes is to reload the router.

Thanks,

Brandon

View solution in original post

2 Replies 2

Brandon Turpin
Cisco Employee
Cisco Employee

Hi Brian,

This sounds like you are running into the following known issue:

  CSCtl03682 - EzVPN client: Several RRI routes  pointing to same virtual interface

which is Dup'd to:

  CSCtf39056 - RRI routes not deleted

This is fixed since 15.1(2)T4, so I would recommend upgrading to SWP 8.2 or higher.  The only other way to clean up the stuck routes is to reload the router.

Thanks,

Brandon

Thank you Brandon!  This looks like the precise symptoms I am experiencing.  I am going to use the reload on a nightly schedule workaround until I get this device upgraded.