cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
533
Views
0
Helpful
1
Replies

Adding Reverse Route causes 50% loss

richard.dean
Level 1
Level 1

I am building some IPSEC tunnels where thje remote locations have Dynamic IP addresses. It works fine, but I need to add more sites, right now I just have the one. When I add the reverse route statement, i start getting 50% packet loss based on ping responses "!.!.!.!.!.!.!.!" If I remove the RR it works fine. "!!!!!!!!!!"  Question is, what am I doing wrong or do I really need the reverse route? Right now the ACL is for the one subnet for current location, but I will be adding more sites. How would I adjust the ACL for more remote subnets if the remote sites are doing split tunneling and the ACLs must match?

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 7200

!

crypto isakmp key (PASSWORD) address 0.0.0.0 0.0.0.0

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 30 20 periodic

!

crypto ipsec security-association lifetime seconds 1800

!

crypto ipsec transform-set NAMECRYPTset esp-3des esp-md5-hmac

!

crypto dynamic-map NAMECRYPTmap 10

set transform-set NAMECRYPTset

match address 115

1 Reply 1

richard.dean
Level 1
Level 1

I removed the reverse route, and also removed  "

match address 115" as neither is needed in this scenario

I think this will be what I am needing, but still curious as to why the RR appears to drop packets> I don;t need it now because I will not be advertising those routes, but still wondering.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: