08-27-2012 07:27 AM - edited 02-21-2020 06:17 PM
Hi all,
I am trying to set up a pair of 1941 routers in a HA configuration to act as L2L VPN gateways. The active router of the pair should distribute routes to the remote destinations using OSPF to internal routers. The VPN part is working fine and the routers are correctly advertising routes to internal hosts, however my problem is that when an IPsec sessions disconnect, the routes disappear and therefore internal hosts cannot reestablish a connection. If the remote end establishes a connection, the routes appear again and connectivity is restored.
My setup is as follows:
(ASA) --> (pvpn01 & pvpn02 HA pair) --> (internet) --> (remote peer)
Relevant sections from my config:
ipc zone default
association 1
no shutdown
protocol sctp
local-port 5000
local-ip 10.26.100.246
retransmit-timeout 300 10000
path-retransmit 10
assoc-retransmit 10
remote-port 5000
remote-ip 10.26.100.247
track 1 interface GigabitEthernet0/1 line-protocol
track 2 interface GigabitEthernet0/0 line-protocol
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 600
crypto isakmp key xxxxxx address 79.171.99.80
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
crypto map outsidemap 10000 ipsec-isakmp
set peer 79.171.99.80
set security-association lifetime seconds 600
set transform-set aes-sha
match address vpn_ospftest_acl
reverse-route static
interface GigabitEthernet0/0
ip address 10.26.100.246 255.255.255.0
no ip proxy-arp
ip verify unicast reverse-path
ip ospf message-digest-key 1 md5 xxxxxxx
duplex auto
speed auto
interface GigabitEthernet0/1
description outside
ip address 91.216.255.246 255.255.255.240
no ip proxy-arp
ip verify unicast reverse-path
standby delay minimum 120 reload 120
standby 1 ip 91.216.255.248
standby 1 preempt
standby 1 authentication md5 key-string xxxxxxx
standby 1 name pvpn_external
standby 1 track 2 decrement 10
ip ospf message-digest-key 1 md5 xxxxxxx
duplex auto
speed auto
crypto map outsidemap redundancy pvpn_external stateful
router ospf 1
router-id 91.216.255.246
no compatible rfc1583
log-adjacency-changes detail
area 0 authentication message-digest
redistribute static subnets route-map rmap_ospf_redistribute
network 10.26.100.0 0.0.0.255 area 0
network 91.216.255.240 0.0.0.15 area 0
ip route 0.0.0.0 0.0.0.0 91.216.255.241
ip route 10.26.0.0 255.255.0.0 10.26.100.1
ip access-list standard acl_osfp_redistribute
permit 192.168.66.0 0.0.0.255
ip access-list extended vpn_ospftest_acl
permit ip 10.26.0.0 0.0.255.255 192.168.66.0 0.0.0.255
route-map rmap_ospf_redistribute permit 10000
match ip address acl_ospf_redistribute
The other router in the pair has exactly the same config except with different interface IPs. The remote end is configured to talk to the HA address
91.216.255.248.
The VPN routers are both running IOS version 15.0(1r)M9.
When I initially boot the routers, the route for 192.168.66.0/24 appears in 'show crypto route', and is advertised to neighboring routers. If I ping an address on that network an SA is established and stays active as long as there is traffic flowing.
pvpn02#show crypto route
VPN Routing Table: Shows RRI and VTI created routes
Codes: RRI - Reverse-Route, VTI- Virtual Tunnel Interface
S - Static Map ACLs
Routes created in table GLOBAL DEFAULT
192.168.66.0/255.255.255.0 [1/0] via 79.171.99.80 tag 0
on GigabitEthernet0/1 RRI S
If I then stop traffic flowing over the tunnel and wait until the IPsec SA lifetime is expired, the route is deleted from the system routing table and therefore not distributed by OSPF. The result is that internal hosts cannot reestablish the tunnel as the other routers have no route to the 192.168.66.0/24 network.
Is this a bug, or is there another way to get the RRI routes to persist on the active router? My understanding of the docs suggests that this should work.
I've attached a log from the active router. It is taken with 'debug crypto ipsec' enabled.
Thanks in advance,
David
08-31-2012 05:35 AM
Hi David,
it sounds like you are hitting a bug, possibly this one:
CSCtr87413 RRI static Route disappear after receiving delete notify and DPD failure
Note that 15.0(1r)M9 is not your IOS version, the "r" means this is the bootstrap version.
Also notet that the bug mentioned above affects 15.0 as well as 15.1 but is only fixed in 15.1(4)M3 and later (and supposedly, 15.2 is not affected).
hth
Herbert
10-17-2012 11:38 PM
Hi,
I have the same issue using RRI with RIPv2...
When the IPSec lifetime expires, the route is removed so hosts from the internal network cannot join the external one any more
I have to run a script which performs ICMP to keep the tunnel up everytime.
Any other solution would be appreciated
PS : The peers are ASA and 881 router
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide