Re: ASA reverse route

Another option that I have used in the past is to use "Ip sla monitor".B
Track your primary connection and if it goes down then inject a backup
route.B When the primary link comes back up the backup route goes away.

All options are good IMO.

Thanks,

Mark

----- Original Message -----
From: "Andre Dufour" <Andre.Dufour_at_PAETEC.com>
To: "Marcin Zgola" <MZgola_at_netrixllc.com>, ccielab_at_groupstudy.com
Sent: Tuesday, December 14, 2010 2:51:07 PM
Subject: RE: ASA reverse route

Just a heads-up on variations. B On the IOS platforms, I use a single standard
of always having the reverse route as static but with the following additions.
B These ensure that as long as the MPLS (primary) is up, that the IPSEC won't
be used even if the IPSec tunnel is up.

Andre

crypto map VPN xxxxx ipsec-isakmp
B set peer x.x.x.x
B set transform-set 3DES
B set reverse-route distance 250
B set isakmp-profile xxxxx
B match address xxxxxx
B reverse-route static

route-map IPSec-backup permit 10
B set local-preference 50
B set weight 0
B set community xxxxx

router bgp xxxx
address-family ipv4 vrf xxxx
B B redistribute static route-map IPSec-backup
B

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Marcin
Zgola
Sent: Tuesday, December 14, 2010 3:35 PM
To: ccielab_at_groupstudy.com
Subject: RE: ASA reverse route

The problem I was having , VPN is a backup route.

ASA is injecting this route via OSPF, and my L3 routers were using OSPF route
when tunnel went down.

Now everything works..

-----Original Message-----
From: Marcin Zgola
Sent: Tuesday, December 14, 2010 2:33 PM
To: 'Tyson Scott'; ccielab_at_groupstudy.com
Subject: RE: ASA reverse route

I changed my tunnel from static to dynamic, and it works.

crypto dynamic-map DYNAMIC_VPN 5 match address ACPU
crypto dynamic-map DYNAMIC_VPN 5 set transform-set 3DES_SHA
crypto dynamic-map DYNAMIC_VPN 5 set security-association lifetime seconds
28800
crypto dynamic-map DYNAMIC_VPN 5 set security-association lifetime kilobytes
4608000
crypto dynamic-map DYNAMIC_VPN 5 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic DYNAMIC_VPN
crypto map outside_map interface outside

-----Original Message-----
From: Tyson Scott [mailto:tscott_at_ipexpert.com]
Sent: Tuesday, December 14, 2010 2:24 PM
To: Marcin Zgola; ccielab_at_groupstudy.com
Subject: RE: ASA reverse route

behavior.

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Marcin Zgola
Sent: Tuesday, December 14, 2010 3:02 PM
To: ccielab_at_groupstudy.com
Subject: ASA reverse route

I am having an issue with ASA reverse route injection on L2L runnel.

When my tunnel is down and I have this command:
crypto map OUTSIDE_MAP 10 set reverse-route

it shows my route in routing table
S B B 10.16.1.0 255.255.255.0 [1/0] via 1.1.1.2, outside

I only need this route when tunnel is up. Is it a bug or asa behavior?

thanks

Marcin Zgola
Internetwork Lead
CCIE #18676
Netrix, LLC
http://www.netrixllc.com
Ph. 847-964-5300
Fax.: 847-964-5350

Blogs and organic groups at http://www.ccie.net
Received on Tue Jan 04 2011 - 16:39:55 ART