Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
577
Views
0
Helpful
1
Replies

Adding Reverse Route causes 50% loss

richard.dean
Level 1
Level 1

‎05-09-2012 04:54 AM

I am building some IPSEC tunnels where thje remote locations have Dynamic IP addresses. It works fine, but I need to add more sites, right now I just have the one. When I add the reverse route statement, i start getting 50% packet loss based on ping responses "!.!.!.!.!.!.!.!" If I remove the RR it works fine. "!!!!!!!!!!"  Question is, what am I doing wrong or do I really need the reverse route? Right now the ACL is for the one subnet for current location, but I will be adding more sites. How would I adjust the ACL for more remote subnets if the remote sites are doing split tunneling and the ACLs must match?

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 7200

!

crypto isakmp key (PASSWORD) address 0.0.0.0 0.0.0.0

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 30 20 periodic

!

crypto ipsec security-association lifetime seconds 1800

!

crypto ipsec transform-set NAMECRYPTset esp-3des esp-md5-hmac

!

crypto dynamic-map NAMECRYPTmap 10

set transform-set NAMECRYPTset

match address 115

Labels:
0 Helpful
1 Reply 1

richard.dean
Level 1
Level 1

‎05-09-2012 05:24 AM

I removed the reverse route, and also removed  "

match address 115" as neither is needed in this scenario

I think this will be what I am needing, but still curious as to why the RR appears to drop packets> I don;t need it now because I will not be advertising those routes, but still wondering.

0 Helpful
Customers Also Viewed These Support Documents