09-28-2017 12:19 PM - edited 03-12-2019 04:34 AM
Hi All,
I am having trouble configuring a crypto map for vpn clients so that I can use RRI to inject the static route into EIGRP. I have dual ISP's and creating a new map seems to appear on both interfaces denying me the ability to enabl RRI. I know I am overlooking something and I seem to be just going in circles online. Has anyone found a solid workaround for advertising the VPN pool to the internal network so my clients can access other remote sites within the company? Or is it better to just use a static route on my core switch connected to the ASA and use a route map to redistribute from there? I am using RRI on another site but it only has one ISP and outside interface so I have the ability to insert the set reverse-route into the map.
Thanks in advance for any suggestions.
10-05-2017 02:04 PM
Hello @Scott Reedman,
I did a Lab Recreate for your concern and I think that cannot be done, I got the following Error:
crypto map outside_map interface backup
ERROR: crypto map has entries with reverse-route injection enabled
I was searching for an enhancement request or a Bug but I didn´t find anything, I believe it is not supported since the ASA will add the static route once you enable RRI on the crypto map and since you have 2 interfaces it will create 2 routes for 2 different interfaces, that´s probably why is not supported.
I think it will be better to handle the routing part somewhere else since from the ASA perspectie is not going to be allowed.
HTH
Gio
10-05-2017 02:32 PM
Thank you for the response and trying this I appreciate it. I was thinking the same thing but wanted to throw it out there in case I was overlooking something. I think I will do a route map on the core to redistribute the staic into EIGRP. I am currently using static routes at each location and the VPN clients are able to reach all locations once logged into the client.
Thanks again for your efforts.
12-21-2018 07:17 AM
When you recreated this in your lab, were you using an ASA5505/10 or a next gen ASA5508/16?
I'm running into the same issues however, I previously had rri enabled with a crypto map applied to multiple interfaces, although it was on a 5510 running Cisco Adaptive Security Appliance Software Version 9.1(6)8
access-list site19_l2l_vpn extended permit ip 172.16.0.0 255.255.0.0 172.16.19.0 255.255.255.0
!
nat (inside,any) source static obj-172.16.128.0 obj-172.16.128.0 destination static obj-172.16.19.0 obj-172.16.19.0 no-proxy-arp route-lookup
!
crypto dynamic-map site19 19 match address site19_l2l_vpn
crypto dynamic-map site19 19 set ikev1 transform-set L2L-SET
crypto dynamic-map site19 19 set reverse-route
!
crypto map l2lmap 19 ipsec-isakmp dynamic site19
!
crypto map l2lmap interface outside
crypto map l2lmap interface comcast-fiber
crypto map l2lmap interface comcast
!
crypto ikev1 enable outside
crypto ikev1 enable comcast-fiber
crypto ikev1 enable comcast
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide