Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2345
Views
5
Helpful
2
Replies

Disappearing IPsec routes with RRI

basissmart
Level 1
Level 1

‎08-27-2012 07:27 AM - edited ‎02-21-2020 06:17 PM

Hi all,

I am trying to set up a pair of 1941 routers in a HA configuration to act as L2L VPN gateways. The active router of the pair should distribute routes to the remote destinations using OSPF to internal routers. The VPN part is working fine and the routers are correctly advertising routes to internal hosts, however my problem is that when an IPsec sessions disconnect, the routes disappear and therefore internal hosts cannot reestablish a connection. If the remote end establishes a connection, the routes appear again and connectivity is restored.

My setup is as follows:

(ASA) --> (pvpn01 & pvpn02 HA pair) --> (internet) --> (remote peer)

Relevant sections from my config:

ipc zone default

association 1

  no shutdown

  protocol sctp

   local-port 5000

    local-ip 10.26.100.246

    retransmit-timeout 300 10000

    path-retransmit 10

    assoc-retransmit 10

   remote-port 5000

    remote-ip 10.26.100.247

track 1 interface GigabitEthernet0/1 line-protocol

track 2 interface GigabitEthernet0/0 line-protocol

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2 

lifetime 600

crypto isakmp key xxxxxx address 79.171.99.80

crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac

crypto map outsidemap 10000 ipsec-isakmp

set peer 79.171.99.80

set security-association lifetime seconds 600

set transform-set aes-sha

match address vpn_ospftest_acl

reverse-route static

interface GigabitEthernet0/0

ip address 10.26.100.246 255.255.255.0

no ip proxy-arp

ip verify unicast reverse-path

ip ospf message-digest-key 1 md5 xxxxxxx

duplex auto

speed auto

interface GigabitEthernet0/1

description outside

ip address 91.216.255.246 255.255.255.240

no ip proxy-arp

ip verify unicast reverse-path

standby delay minimum 120 reload 120

standby 1 ip 91.216.255.248

standby 1 preempt

standby 1 authentication md5 key-string xxxxxxx

standby 1 name pvpn_external

standby 1 track 2 decrement 10

ip ospf message-digest-key 1 md5 xxxxxxx

duplex auto

speed auto

crypto map outsidemap redundancy pvpn_external stateful

router ospf 1

router-id 91.216.255.246

no compatible rfc1583

log-adjacency-changes detail

area 0 authentication message-digest

redistribute static subnets route-map rmap_ospf_redistribute

network 10.26.100.0 0.0.0.255 area 0

network 91.216.255.240 0.0.0.15 area 0

ip route 0.0.0.0 0.0.0.0 91.216.255.241

ip route 10.26.0.0 255.255.0.0 10.26.100.1

ip access-list standard acl_osfp_redistribute

permit 192.168.66.0 0.0.0.255

ip access-list extended vpn_ospftest_acl

permit ip 10.26.0.0 0.0.255.255 192.168.66.0 0.0.0.255

route-map rmap_ospf_redistribute permit 10000

match ip address acl_ospf_redistribute

The other router in the pair has exactly the same config except with different interface IPs. The remote end is configured to talk to the HA address

91.216.255.248.

The VPN routers are both running IOS version 15.0(1r)M9.

When I initially boot the routers, the route for 192.168.66.0/24 appears in 'show crypto route', and is advertised to neighboring routers. If I ping an address on that network an SA is established and stays active as long as there is traffic flowing.

pvpn02#show crypto  route

VPN Routing Table: Shows RRI and VTI created routes
Codes: RRI - Reverse-Route, VTI- Virtual Tunnel Interface
        S - Static Map ACLs

Routes created in table GLOBAL DEFAULT
192.168.66.0/255.255.255.0 [1/0] via 79.171.99.80 tag 0
                                on GigabitEthernet0/1 RRI  S

If I then stop traffic flowing over the tunnel and wait until the IPsec SA lifetime is expired, the route is deleted from the system routing table and therefore not distributed by OSPF. The result is that internal hosts cannot reestablish the tunnel as the other routers have no route to the 192.168.66.0/24 network.

Is this a bug, or is there another way to get the RRI routes to persist on the active router? My understanding of the docs suggests that this should work.

I've attached a log from the active router. It is taken with 'debug crypto ipsec' enabled.

Thanks in advance,

David

Labels:
133960-pvpn-ipsec-rri-disappearing-routes.txt.zip
0 Helpful
2 Replies 2

Herbert Baerten
Cisco Employee
Cisco Employee

‎08-31-2012 05:35 AM

Hi David,

it sounds like you are hitting a bug, possibly this one:

CSCtr87413    RRI static Route disappear after receiving delete notify and DPD failure

Note that 15.0(1r)M9 is not your IOS version, the "r" means this is the bootstrap version.

Also notet that the bug mentioned above affects 15.0 as well as 15.1 but is only fixed in 15.1(4)M3 and later (and supposedly, 15.2 is not affected).

hth

Herbert

Kooopobol
Level 1
Level 1

‎10-17-2012 11:38 PM

Hi,

I have the same issue using RRI with RIPv2...
When the IPSec lifetime expires, the route is removed so hosts from the internal network cannot join the external one any more
I have to run a script which performs ICMP to keep the tunnel up everytime.


Any other solution would be appreciated

PS : The peers are ASA and 881 router

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents