L2L VPN redundancy, RRI issue

BEN ROBINSON · ‎04-26-2011

Hello!

I have an issue where we have redundant links into our ISP using BGP at different sites and about a dozen remote sites connected via L2L VPN tunnels. I have found a couple of issues when trying to do VPN redundancy (the headend VPN endpoints are the outside interfaces of our ASA(s)).

1) If you configure a backup peer, it does not automatically fail back to the primary (per the cisco.com docs). does anyone know that when the ISAKMP needs renegotiated does this happen?

2) Using RRI is not possible since for a L2L tunnel it does RRI no matter if the tunnel is up or down. Is there a way to conditionally advertise the remote subnets into the network from the ASAs based on weather or not the tunnel is up on a specific ASA?

3) I was looking at running OSPF over the tunnels instead and just increasing the cost on the local ASA interface of the backup site if that's the only way this will work. Then just having two static L2L tunnels up, one to the primary site and one to the secondary site. possible?

We eventually plan to move to DMVPN which would fix this issue altogether, but in the meantime - any advice? thanks for any assistance!

B

Marc Luethi · ‎05-13-2012

Hi B

Did you ever get 2) solved with the ASA's?

I just ran into the same issue: RRI routes are in the table as statics, allright. But they don't go away when the SA is down. What's the point of having RRI if it isn't dynamic? Might just as well write static routes to the remote networks from th start.

Best regards

Marc

BEN ROBINSON · ‎05-14-2012

Aloha! I'm sorry I don't have any update for you on this. I did not get it resolved.

Andreas Schneider · ‎06-19-2012

Hi,

I'm also having a lot of trouble with RRI (and EIGRP) maybe it helps to turn to Answer-only:

pls. see CSCsx67450 in Bug Database for details( ASA needs same RRI functionality as IOS

.