04-26-2011 05:50 PM
Hello!
I have an issue where we have redundant links into our ISP using BGP at different sites and about a dozen remote sites connected via L2L VPN tunnels. I have found a couple of issues when trying to do VPN redundancy (the headend VPN endpoints are the outside interfaces of our ASA(s)).
1) If you configure a backup peer, it does not automatically fail back to the primary (per the cisco.com docs). does anyone know that when the ISAKMP needs renegotiated does this happen?
2) Using RRI is not possible since for a L2L tunnel it does RRI no matter if the tunnel is up or down. Is there a way to conditionally advertise the remote subnets into the network from the ASAs based on weather or not the tunnel is up on a specific ASA?
3) I was looking at running OSPF over the tunnels instead and just increasing the cost on the local ASA interface of the backup site if that's the only way this will work. Then just having two static L2L tunnels up, one to the primary site and one to the secondary site. possible?
We eventually plan to move to DMVPN which would fix this issue altogether, but in the meantime - any advice? thanks for any assistance!
B
05-13-2012 03:43 PM
Hi B
Did you ever get 2) solved with the ASA's?
I just ran into the same issue: RRI routes are in the table as statics, allright. But they don't go away when the SA is down. What's the point of having RRI if it isn't dynamic? Might just as well write static routes to the remote networks from th start.
Best regards
Marc
05-14-2012 01:20 PM
Aloha! I'm sorry I don't have any update for you on this. I did not get it resolved.
06-19-2012 07:56 AM
Hi,
I'm also having a lot of trouble with RRI (and EIGRP) maybe it helps to turn to Answer-only:
pls. see CSCsx67450 in Bug Database for details( ASA needs same RRI functionality as IOS
.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide