Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
249
Views
2
Helpful
2
Replies

Routing issues after changing from IKEv1 to IKEv2

Go to solution
Chess Norris
Level 4
Level 4

‎07-10-2025 12:54 AM

A customer has an MPLS network with BGP routing that is used as primary communication between their HQ and 10 smaller remote sites. As backup they are using VPN tunnels between a FTD firewall at the HQ and C1111 IOS XE routers at the remote sites.

This has been working without any issues, and the VPN tunnel has always come up if there was an issue with the MPLS network. 

The problem occurred when we tried to change the VPN tunnels from IKEv1 to IKEv2. We discovered that we lost communication with the remote site and when checking the routing on the FTD, we could see that it changed after we configured IKEv2.

Here is the output before the change from IKEv1 to IKEv2, showing the correct route to the remote site over the MPLS network. 

ftd-01# show route 10.90.26.129

Routing entry for 10.90.16.0 255.255.240.0
Known via "bgp 64900", distance 20, metric 0
Tag 21195, type external
Last update from 10.63.63.1 19:16:55 ago
Routing Descriptor Blocks:
* 10.63.63.1, from 10.63.63.1, 19:16:55 ago
Route metric is 0, traffic share count is 1
AS Hops 2
Route tag 21195
MPLS label: no label string provided

And here is the route after changing to IKEv2

!
ftd-01# show route 10.90.26.129

Routing entry for 10.90.16.0 255.255.240.0
Known via "static", distance 1, metric 0 (connected)
Redistributing via bgp 64900
Routing Descriptor Blocks:
* 10.90.16.0, via OUTSIDE
Route metric is 0, traffic share count is 1

It looks like it's trying to send the traffic through the VPN tunnels instead of using the MPLS network. Is this an expected behavior with IKEv2? How can we fix this? Maybe by using IP SLA on the firewall?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎07-10-2025 12:59 AM

We use RRI to advertise tunnel IP via IKEv1 then use it in BGP.

I think you missing RRI option when you shift to IKEv2

MHM

View solution in original post

2 Replies 2

Go to solution
MHM Cisco World
VIP
VIP

‎07-10-2025 12:59 AM

We use RRI to advertise tunnel IP via IKEv1 then use it in BGP.

I think you missing RRI option when you shift to IKEv2

MHM

Go to solution
Chess Norris
Level 4
Level 4
In response to MHM Cisco World

‎07-16-2025 05:10 AM

Issue solved and it was related to RRI, but it was actually that it was enabled that caused the problem.

After changed from IKEv1 to IKEv2, RRI was enabled by default. However on the previous IKEv1 tunnels, RRI was not enabled. 

So deselecting Reverse Route Injection fixed the issue.

Thanks

/Chess

Customers Also Viewed These Support Documents