Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
716
Views
0
Helpful
2
Replies

question about RRI

Go to solution
west33637
Level 1
Level 1

‎02-19-2011 10:12 AM

"RRI injects a static route into the routing table of the headend router for the network address referenced by the crypto ACL of the remote router. These static routes can be redistributed using a dynamic routing protocol."

"The static IP route is only present if that IPsec SA is active."

I have the default SA lifetimes configured (1 hour).

I have a hub and spoke IPSEC LAN to LAN network (to several different companies) and I am planning to use static crypto peer mappings on the hub and RRI with redistribution to inject the remote networks into my network. The tunnels can be initiated from either direction.

if I and the remote company get the tunnel configured and the IPSEC SA is up, the remote static routes will get injected via RRI and get redistributed into my routing protocol. therefore my internal network will have a route to get to this remote network. what happens if there is no VPN traffic for over an hour and the IPSEC SA gets torn down. In this case, if the above quotes hold true, then my static routes that got injected via RRI will get removed. If they do, then no routes are getting redistributed and my internal network does not know how to reach the destination network anymore.

So what happens when my internal network tries to initiate traffic to the remote company? In this case, my internal network wont have a route to the remote network since it relied on static routes provided by RRI which are not present since the IPSEC SA was torn down.

Am I correct in my assumptions? If so, I know that you can configure IP SLA or something to provide periodic interesting traffic in which case the IPSEC SA will continue to renegotiate every hour. Are there other solutions for this?

Thanks as always.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎02-19-2011 01:38 PM

Typically RRI is used in VPN Client environment where tunnel only needs to be initiated from the VPN Client end, and when the VPN Client disconnects, the internal networks have no need to access the VPN Client.

In a lan-to-lan tunnel scenario where you know exactly the remote LAN and you have a requirement to initiate the tunnel from both end, then RRI is not so much of a use anymore. Because as you have advised, when the SA is down, then the HUB site can't initiate the tunnel to the remote end if the routes are being distributed via RRI. The best and easiest options would be to configure static routes manually that gets distributed to your dynamic routing protocols.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎02-19-2011 01:38 PM

Typically RRI is used in VPN Client environment where tunnel only needs to be initiated from the VPN Client end, and when the VPN Client disconnects, the internal networks have no need to access the VPN Client.

In a lan-to-lan tunnel scenario where you know exactly the remote LAN and you have a requirement to initiate the tunnel from both end, then RRI is not so much of a use anymore. Because as you have advised, when the SA is down, then the HUB site can't initiate the tunnel to the remote end if the routes are being distributed via RRI. The best and easiest options would be to configure static routes manually that gets distributed to your dynamic routing protocols.

0 Helpful

Go to solution
west33637
Level 1
Level 1
In response to Jennifer Halim

‎02-19-2011 01:48 PM

Thanks.

0 Helpful
Customers Also Viewed These Support Documents