Hi Rob,

if I enable both tunnel individually everything works.

It only fails when the traffic fails over from the MPLS to the Internet and vice versa.

When the failover occurs, the ASA as an active tunnel (from the MPLS) but doesn't has the time to realise that it doesn't exist anymore before the new session establishes, this is when it glitches. 

In a glitched state if I logout the new VPN internet base tunnel the remote end rebuild the tunnel and everything works.

This doesn't happen on the ASR, the ASR will keep the old tunnel active until it expires (DPD) but will make the new tunnel the default route back to the remote LAN.

I hope that clarifies things.

thanks,

@AlexDC 

So are the RRI routes not cleared from the old tunnel and new routes not created?

Do you have DPD configured on the ASA to clear IPSec SAs for the dead tunnel?

Packet-tracer would still be useful to highlight what is going on.

Hi Rob,

I think this help me to realise that problem isn't related to the tunnel but how ASA deals with the routes.

Nothing appears in the logs but if I am SSH to the ASA while triggering a failover the ASA ouptut this error :

ERROR: Cannot add route entry, conflict with existing routes

We also redistribute the RRI back into OSPF.

So at this stage I don't know if this an OSPF redistribution issue or if the ASA complains about the existing RRI for the ghost session:

V 10.0.0.0.2 255.255.255.255 connected by VPN (advertised), remote_private

is there a way to force the ASA to replace the existing route ?

regards,

@AlexDC like I said, do you have DPD enabled on the ASA to clear the dead tunnel (IPSec SAs) and with it the old routes learnt via RRI?

@Rob Ingram 

Yes we do but even after the old tunnel is cleaned up the route is not added.

the only way to bring the route up is to logout the session for a new session to establish and the route to be added.

https://www.ciscolive.com/global/on-demand-library.html?search=vpn&search=vpn&search.event=ciscoliveus2020#/session/1573153557826001JtCQ

@Rob Ingram 

Thanks for the resources you shared watch the videos but I am failing to see how this would explain why our actual setup is working on our ASR but not on the ASA.

Why is the ASA rejecting the new route where an ASR is just replacing it with the newest.

You might assume that our implementation is not the best, and I'd agree with that . But the remote end are not cisco device and the VPN implementation is limited to policy base routing.

Further to this we do not have 2 ASA to terminate on, instead they are in a HA cluster so terminating on different box is not possible.

regards,

@AlexDC the error "ERROR: Cannot add route entry, conflict with existing routes" would imply that the old route is still in place. If the ASA was attempting to add the new route, a new tunnel would already have been established via the other link. If you look at the presentations I shared it suggests using a shorter DPD time interval on the ASA headend. Therefore the old tunnel is deleted on the ASA, the routes removed before the spoke has deleted it's tunnel and attempted to establish a new tunnel.

I am sure there is a logical reason why the ASR is acting differently to the ASA, I don't have access to the devices....

No official guide is applicable in all scenarios, but they do have useful information that can be applied in most scenarios.