Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2681
Views
0
Helpful
3
Replies

crypto map associated with multiple interfaces. cannot enable rri

Scott Reedman
Level 1
Level 1

‎09-28-2017 12:19 PM - edited ‎03-12-2019 04:34 AM

Hi All,

 

I am having trouble configuring a crypto map for vpn clients so that I can use RRI to inject the static route into EIGRP. I have dual ISP's and creating a new map seems to appear on both interfaces denying me the ability to enabl RRI. I know I am overlooking something and I seem to be just going in circles online. Has anyone found a solid workaround for advertising the VPN pool to the internal network so my clients can access other remote sites within the company? Or is it better to just use a static route on my core switch connected to the ASA and use a route map to redistribute from there? I am using RRI on another site but it only has one ISP and outside interface so I have the ability to insert the set reverse-route into the map.

 

Thanks in advance for any suggestions.

Labels:
0 Helpful
3 Replies 3

GioGonza
Level 4
Level 4

‎10-05-2017 02:04 PM

Hello @Scott Reedman,

 

I did a Lab Recreate for your concern and I think that cannot be done, I got the following Error:

 

 crypto map outside_map interface backup
ERROR: crypto map has entries with reverse-route injection enabled

 

I was searching for an enhancement request or a Bug but I didn´t find anything, I believe it is not supported since the ASA will add the static route once you enable RRI on the crypto map and since you have 2 interfaces it will create 2 routes for 2 different interfaces, that´s probably why is not supported. 

 

I think it will be better to handle the routing part somewhere else since from the ASA perspectie is not going to be allowed.

 

HTH

Gio

0 Helpful

Scott Reedman
Level 1
Level 1
In response to GioGonza

‎10-05-2017 02:32 PM

Thank you for the response and trying this I appreciate it. I was thinking the same thing but wanted to throw it out there in case I was overlooking something. I think I will do a route map on the core to redistribute the staic into EIGRP. I am currently using static routes at each location and the VPN clients are able to reach all locations once logged into the client.

 

Thanks again for your efforts.

0 Helpful

czellers
Level 1
Level 1
In response to GioGonza

‎12-21-2018 07:17 AM

When you recreated this in your lab, were you using an ASA5505/10 or a next gen ASA5508/16?

 

I'm running into the same issues however, I previously had rri enabled with a crypto map applied to multiple interfaces, although it was on a 5510 running Cisco Adaptive Security Appliance Software Version 9.1(6)8 

 

access-list site19_l2l_vpn extended permit ip 172.16.0.0 255.255.0.0 172.16.19.0 255.255.255.0
!
nat (inside,any) source static obj-172.16.128.0 obj-172.16.128.0 destination static obj-172.16.19.0 obj-172.16.19.0 no-proxy-arp route-lookup
!
crypto dynamic-map site19 19 match address site19_l2l_vpn
crypto dynamic-map site19 19 set ikev1 transform-set L2L-SET
crypto dynamic-map site19 19 set reverse-route
!
crypto map l2lmap 19 ipsec-isakmp dynamic site19
!
crypto map l2lmap interface outside
crypto map l2lmap interface comcast-fiber
crypto map l2lmap interface comcast
!
crypto ikev1 enable outside
crypto ikev1 enable comcast-fiber
crypto ikev1 enable comcast

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents