cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7535
Views
10
Helpful
9
Replies
Highlighted
Beginner

ASA 9.6.2 reverse route injection change

I have a couple of 5545x's running in a HA pair, were running on 9.1.5.  The environment overview, we are running a bunch of point to point vpn's into the firewalls.  The routes come into the routing table as a static with an AD of 1.  As most people know, there is no way to change that AD of the RRI route to any other AD, quite frustrating as you can do this on the routers.  But, we have found a way to work through this.  

Following, from there we redistribute the statics (RRI routes) into EIGRP.  So the neighbors will get the routes with an AD of 170.  The nice thing about this is the remote sites that we have typically have a primary MPLS connection.  Those connections come into our primary site via BGP and those are redistributed into EIGRP.  

With the MPLS routes and the VPN routes, I set the VPN routes with a worse metric (not AD), therefore, if the MPLS connection is up at the remote site, that will always be preferred. 

HOWEVER, i upgraded the pair to 9.6.2.  I started to realize I was getting some asymmetric routing issues on the network.  I found in the EIGRP neighbors, all the routes from the ASA pair were receiving them as internal EIGRP route (AD of 90), instead of what they were doing, receiving them as external.  Well that screwed up our balance of routes for all vpn's, now the network saw those as preferred, instead of the MPLS.  

In the ASA, RRI use to put them in as a static.  They are not static's anymore, they are 'V' routes, which stands for VPN.  Example below:

!

V        10.8.8.0 255.255.255.0 connected by VPN (advertised), Outside

!

Following, they were just putting them into EIGRP, no redistribution was working.  But, i saw the word 'connected' in the route, so I tried redistribute 'connected', still nothing.  I looked for a command under the EIGRP process, like 'redistribute VPN', still nothing.  

I currently have a TAC case open but i have not heard back from them yet.  But the only work around i found was to make a ton (felt like a billion) static routes for each vpn network and remove RRI.

If anyone has any magical ideas that would be appreciated.  

Thanks,

9 REPLIES 9
Highlighted
Beginner

We have same issue. Did you solve it?

Highlighted

My Cisco TAC is still open and i keep getting updates that they are working on it.  Currently, my work around was to turn off RRI, and enter in static routes for every remote site.  

meanwhile, still waiting to hear from tac.  

Highlighted

Thx for your reply. Let us keep in touch on your TAC case updates.

Highlighted
Cisco Employee

Hi tellis002,

Can you downgrade the ASA to 9.6.1 and test , since 9.6.2 has known issues with RRI

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd21665/?referring_site=bugquickviewredir

Thanks

Shakti

Highlighted

I am going to be, either tonight or this coming weekend, upgrading a pair of ASA's to the 9.6.3.  i will let you know on the results.

Later - Tony

Highlighted

So I did upgrade and I have the same result.  As you can see, a single route below on the ASA, following the nexus attached directly to it.  The RRI routes are no longer redistributed into the network at 170, which is a pain.  

!

V        10.8.8.0 255.255.255.0 connected by VPN (advertised), Outside

!

router eigrp 1

redistribute static

network 10.62.241.15 0.0.0.0

!

!

Cisco Adaptive Security Appliance Software Version 9.6(3)1 

!

********INSIDE NETWORK DEVICE*********

!

10.8.8.0/24, ubest/mbest: 1/0
*via 10.62.241.15, Vlan201, [90/179712256], 00:16:31, eigrp-EIGRP-HOLLAND, internal

!

Highlighted

Thx. The bad result is also a result...

Highlighted
Beginner

Recently Cisco makes new recommended release available (asa963-1-smp-k8.bin). Does anybody check RRI issue with it?

Highlighted
Enthusiast

It's a shame what cisco did change in the latest releases...

I run into the same issue, but with a different use-case. My use case is based on a standard IPSec LAN-2-LAN implementation.

I know, you should never ever use the "any" keyword in a crypto ACL, but since it's a remote location with no split tunnel, it was decent to do so in past (running 5505 with Release 7.x).

Now we wanted to replace the unit with the same config but the latest code (9.7.1(8)) with IRB enabled for the switchport issue. But unfortuntly, the box was not able to built it's tunnel due to the VPN Route added in the routing table. This produces a kind of routing loop (lookup of the peer IP in the VPN route from RRI). I guess this is a misbehaviour since this runs well until 9.6.1 and stopped while they added the the VPN RRI feature, or how ever it is called...

And as you already read in this post, the only workaround for this as well is: Disable RRI in the crypto map (no crypto map outside_map 10 set reverse-route) or not use the "any" keyword!

Content for Community-Ad