Re: Route not added for site-to-site tunnel

ABaker94985 · ‎01-18-2022

We have approximately 50 site-to-site tunnels to an ASA 5545X running 9.12(4)35. The one we had the problem with has the "set reverse-route"

crypto map OUTSIDE_map 15 match address OUTSIDE_cryptomap_18
crypto map OUTSIDE_map 15 set peer 64.64.64.64
crypto map OUTSIDE_map 15 set ikev1 transform-set ESP-AES256-SHA
crypto map OUTSIDE_map 15 set reverse-route

Today out of the blue one of the locations no longer had the route set, nor would it set after clearing either end of the tunnel. The site uses 10.8.248.128/26, and it had a "V" route previously, but the site is up after creating a static route:

V 10.8.248.0 255.255.255.192 connected by VPN (advertised), OUTSIDE
S 10.8.248.128 255.255.255.192 [1/0] via 192.231.91.1, OUTSIDE
V 10.8.249.0 255.255.255.192 connected by VPN (advertised), OUTSIDE

I'd like to figure out the problem, as this happened 2 or 3 times last year with other sites. Is there a debug or some troubleshooting technique I could try? Thanks

Rob Ingram · ‎01-18-2022

@ABaker94985 I assume you are redistributing the routes using EIGRP or OSPF, can you provide the output of your routing configuration including prefix-list and route-maps.

ABaker94985 · ‎01-18-2022

@Rob Ingram We actually are not using a dynamic routing protocol, although we'll soon be implementing it for the VPNs. This has been setup with static routes since the beginning of time , but it's become unwieldy. This problem is easy to spot because we see a routing loop between the Nexus switches and firewall. The route to 10.0.0.0/8 on the firewall that points to the switch is the only path to 10.8.248.128/26 when the route drops from the firewall.

Flavio Miranda · ‎01-18-2022

Hello

Take a look on this Bug:

CSCvq78126

V route is missing even after setting the reverse route in Crypto map config in HA-IKEv2