04-02-2012 09:02 PM
Hi,
I'm having some problems with Cisco 870 routers connected to Cisco ASA 5550 firewalls via the internet and IPSEC L2L VPN's. The 870 router establishes a tunnel to the default peer without a problem. The crypto map has 4 entries so depending on the traffic being sent through the 870 router there can be up to 4 SPI's using that tunnel
The problem is as follows:
As the underlying connectivity is via the Internet, every now and then we see that the router establishes a tunnel to the backup peer (123.44.55.66). When this happens I end up with two active tunnels, with at least one SPI still active on the default tunnel peer. The problem I have is that on the other end of these tunnels, when the VPN is created to the backup peer it uses RRI to advertise the 870's LAN into our core network. Traffic from the Core will be routed via the backup VPN, but traffic from the 870 can still use the default VPN to send traffic. Asymmetric traffic then breaks connectivity for the site.
So the problem I see is that the 870 router (using DPD) should only ever have one tunnel up, if it detects a problem with that one it should tear it down and establish a tunnel to the backup peer. Traffic would then by symmetric.
Does anyone have any ideas? Any clues why both tunnels stay up?
Cheers
04-02-2012 09:37 PM
CSCsa46834 seems to describe the problem exactly, but affected versions only show 12.3, we're running
12.4(15)T7
04-03-2012 12:56 PM
You need to introduce IP-SLA and track object, to monitor route availability and base on return value, the router will push the traffic either one of the tunnel path.
Please review the config on this thread below and you may want to change it reflect your setup.
https://supportforums.cisco.com/thread/2034251
thanks
04-03-2012 04:02 PM
Hi rizwanr74
Thanks for the reply. I don't think that applies here, each client only has a single Internet connection so there is no routing changes required. The redundancy we're looking for is on the ASA firewall endpoint, by having the default peer and then a 2nd peer if that is unavailable. DPD should detect if the default peer is unavailable, tear down the tunnel and then establish to the 2nd peer. We are not seeing the tearing down take place.
Cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide