RE: ASA reverse route from Dufour, Andre on 2010-12-14 (Ccielab archives 12/2010)

From: Dufour, Andre <Andre.Dufour_at_PAETEC.com>
Date: Tue, 14 Dec 2010 15:51:07 -0500

Just a heads-up on variations. On the IOS platforms, I use a single standard of always having the reverse route as static but with the following additions. These ensure that as long as the MPLS (primary) is up, that the IPSEC won't be used even if the IPSec tunnel is up.

Andre

crypto map VPN xxxxx ipsec-isakmp
set peer x.x.x.x
set transform-set 3DES
set reverse-route distance 250
set isakmp-profile xxxxx
match address xxxxxx
reverse-route static

route-map IPSec-backup permit 10
set local-preference 50
set weight 0
set community xxxxx

router bgp xxxx
address-family ipv4 vrf xxxx
redistribute static route-map IPSec-backup

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Marcin Zgola
Sent: Tuesday, December 14, 2010 3:35 PM
To: ccielab_at_groupstudy.com
Subject: RE: ASA reverse route

The problem I was having , VPN is a backup route.

ASA is injecting this route via OSPF, and my L3 routers were using OSPF route when tunnel went down.

Now everything works..

-----Original Message-----
From: Marcin Zgola
Sent: Tuesday, December 14, 2010 2:33 PM
To: 'Tyson Scott'; ccielab_at_groupstudy.com
Subject: RE: ASA reverse route

I changed my tunnel from static to dynamic, and it works.

crypto dynamic-map DYNAMIC_VPN 5 match address ACPU
crypto dynamic-map DYNAMIC_VPN 5 set transform-set 3DES_SHA
crypto dynamic-map DYNAMIC_VPN 5 set security-association lifetime seconds 28800
crypto dynamic-map DYNAMIC_VPN 5 set security-association lifetime kilobytes 4608000
crypto dynamic-map DYNAMIC_VPN 5 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic DYNAMIC_VPN
crypto map outside_map interface outside

-----Original Message-----
From: Tyson Scott [mailto:tscott_at_ipexpert.com]
Sent: Tuesday, December 14, 2010 2:24 PM
To: Marcin Zgola; ccielab_at_groupstudy.com
Subject: RE: ASA reverse route

behavior.

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Marcin Zgola
Sent: Tuesday, December 14, 2010 3:02 PM
To: ccielab_at_groupstudy.com
Subject: ASA reverse route

I am having an issue with ASA reverse route injection on L2L runnel.

When my tunnel is down and I have this command:
crypto map OUTSIDE_MAP 10 set reverse-route

it shows my route in routing table
S 10.16.1.0 255.255.255.0 [1/0] via 1.1.1.2, outside

I only need this route when tunnel is up. Is it a bug or asa behavior?

thanks

Marcin Zgola
Internetwork Lead
CCIE #18676
Netrix, LLC
http://www.netrixllc.com
Ph. 847-964-5300
Fax.: 847-964-5350

Blogs and organic groups at http://www.ccie.net
Received on Tue Dec 14 2010 - 15:51:07 ART

This archive was generated by hypermail 2.2.0 : Sat Jan 01 2011 - 09:37:49 ART