Curious if any of you who have experienced this have found a code version that fixes it. TAC seems hesitant to give me a "fixed" code version and keep recommending different jumps.
Current version: 9.4.4(18)
Model: ASA5545-X in Active/Standby
Problem: RRI VPN routes are withdrawn from the routing table after a failover event, and to fix it I must toggle RRI off/on for each VPN profile I have it configured for.
Workaround: Configure static routes for all VPN remote IP space
According to TAC it matches CSCth58083, however it was later decided that this was to be an enhancement request rather than a bugfix so it got backburnered to my knowledge.
Then they pointed me at CSCun65747, but my version is not matched under "affected releases" and it claims it fixes a bug with a different ID number (and the link is broken on their page): CSCtb64709
CSCun65747
Description
Symptom:This is an ENHANCEMENT request.
Conditions:The current VPN RRI implementation requires a route look up for the peer when installing RRI routes.
This implementation runs into issues when the route to peer is not know at RRI time or the route to peer changes. It also runs into issues when tunneling IPv4 in IPv6 and IPv6 in IPv4.
Anyways, I don't plan on playing code roulette in production so I'm close to just installing static routes manually, however I'd like to use RRI if anyone has had success with it between failovers.
*I do not have any EIGRP/OSPF adjacencies with this box so a default route outbound with learned internal routes won't work in this scenario*
No comments:
Post a Comment