Solved

Alternate to RRI

Posted on 2010-08-17
12
1,809 Views
Last Modified: 2012-10-10
I am currently trying to advertise routes to our VPN connected sites using EIGRP on our 55xx firewalls. For most sites RRI is our first option since it provides the most dynamic routing in the event of a failover for the remote sites.
The problem is that some of our remote sites are not manned and its my understanding that if the tunnel drops after a certain time the reverse route will drop and routing will not come back up unless initiated by the remote side.
I am looking for something more permanent, other than a static route on the local router, that will "hold" this route in place in case the VPN needs to be brought up from the local side.
Our goal is removal of all static routes on the internal LAN.
0
Comment
Question by:jasonbranch10
  • 4
  • 4
  • 3
  • +1
12 Comments
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33458089
RRI should work fine. I guess you use this on the hub site? That means that there is always a static route inserted (and probably redistributed) pointing out tne network(s) at the remote site. Is this full L2L-tunnels with static ip (set peer in hub sites crypto map)? Then either end can initiate the tunnel and the tunnel will go up and down automatically. Anyway, the static route inserted with the reverse-route should never disappear. Does it?

Anyway, there are not many options in ASA compared to IOS-routers. It is more flexible and dynamic to use GRE-tunnels in which you can run your eigrp-routing thru the vpn, but that is not an option with ASA.

Sorry, I dont really understand your problem. It is probably me but can you please expand your question?

/Kvistofta
0
 

Author Comment

by:jasonbranch10
ID: 33458828
Actually you seem to have a pretty good grasp of it.

this is the hub site we are talking about.

 I was under the impression that if the VPN went down so would the route which added to the flexiblity and ease of failover to a different head-end server. If thats not the case and the route is always there , that kinda throws a wrench in my failover plans but atleast I know the remote site will always be accessible no matter who initiates the connection.
0
 
LVL 18

Accepted Solution

by:
decoleur earned 500 total points
ID: 33458910
Hello jasonbranch10,

If you have the remote router participating in the EIGRP routing process then they should have interesting traffic that keeps the tunnels from going down. If you want another method to generate interesting traffic from the remote sites to the main site to keep the tunnels up i have seen "sla monitor" used with good effect. See http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml for a description of the method.

Really all you need to do is set up something like this:

sla monitor 123
 type echo protocol ipIcmpEcho 10.0.0.1 interface outside !--- use an address the firewall can ping that is inside the hub
 num-packets 3
 frequency 10 !--- I would change this to 30

!--- Configure a new monitoring process with the ID 123.  Specify the
!--- monitoring protocol and the target network object whose availability the tracking
!--- process monitors.  Specify the number of packets to be sent with each poll.
!--- Specify the rate at which the monitor process repeats (in seconds).

sla monitor schedule 123 life forever start-time now

!--- Schedule the monitoring process.  In this case the lifetime
!--- of the process is specified to be forever.  The process is scheduled to begin
!--- at the time this command is entered.  As configured, this command allows the
!--- monitoring configuration specified above to determine how often the testing
!--- occurs.  However, you can schedule this monitoring process to begin in the
!--- future and to only occur at specified times.


hope this helps,

-t
0
 

Author Comment

by:jasonbranch10
ID: 33459005
I don't necessarily need the tunnel to stay up...just for the route to be there from an eigrp perspective.

The remote sites are not participating in eigrp.
0
 
LVL 18

Expert Comment

by:decoleur
ID: 33459099
it is my understanding that the dynamic route will only be available as long as the tunnel is up, to have the route you will need the tunnel.
0
 

Author Comment

by:jasonbranch10
ID: 33459177
that was my understanding as well....so its either a static on the router...RRI without traffic to keep it up so you lose the route once it drops.... or RRI with an SLA to keep the route in place and the VPN up which would still function properly in the case of a hard outage (hardware or circuit) in which case it would fail to the DR site.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 17

Expert Comment

by:Kvistofta
ID: 33461396
RRI is static, it will not disappear when the tunnel is down.

I think we have some confusions here. We are talking about 2 different scenarios:

1) routing protocol traffic thru tunnel. If you do that the EIGRP updates will keep the tunnel up and the routes will always be there. This is by far the most effective way to do it. However, this is not supported on ASA since crypto maps cannot handle multicast/broadcast traffic.

2) RRI. This is a local thing in each router. Since there is no automatic way to distribute what exists on the remote end of the vpn tunnel all reverse-route does is to look in the crypto access-list and create a static route local in the router/firewall based on the remote networks specified in the proxy acl. They will always be there, there is no way for RRI to "know" if the tunnel is up or down. Since they are only created as static routes you then need to redistribute static routes as needed in your local routing protocol.

Of course SLA can be configured to keep the tunnel always up if needed, but that is not needed to make RRI work.

/Kvistofta
0
 

Author Comment

by:jasonbranch10
ID: 33464759
Kvistofta

I confirmed your point this morning. We currently have a backup VPN configured to one of our sites and even though the tunnel is down the routes are still being advertised out of the ASA.

So my question now is what is the difference between RRI and just redistributing the static routes themselves?

A cleaner approach?
0
 
LVL 18

Expert Comment

by:decoleur
ID: 33464886
I offer that it is a question of the function of the approach. RRI can be used in 4 different use cases from lan to lan to a client rri or nem where the remote address space is not known.

both RRI and static routes add routes into the local routing table to be redistributed in the case of RRI it is the result of inference, static is just that, static.

this has been a good thread to follow, thanks for the question!

-t
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33465386
There is no difference in functionality.

The most common scenario is that VPN is done over internet to which you already have a default route. If that is the case you dont have to care at all.

RRI is just a way to say "whatever is at the remote end of the tunnel should be statically routed to the interface where the crypto map is". If you change your VPN acl you dont have to modify your static routes manually, it is taken care of with RRI. If you (for som weird reason) move the crypto map to another interface, RRI will automatically modify the routes.

But the most important things:
1) RRI-injected static routes remains until the crypto map is reconfigured.
2) If you already have a default route pointing towards the interface where your crypto map is applied you dont have to use RRI.
3) You must redistribute statics into routing protocol if you need to "spread the word" about the remote networks. Same thing here, if you already have a default route pointing to your ASA in your inside environment you dont have to redistribute statics about the remote networks since they are part of the default route and in the same direction.

Good luck!
(I would appreciate some points, but maybe it is to late for that?)

/Jimmy
0
 
LVL 18

Expert Comment

by:decoleur
ID: 33465554
Jimmy-

the question is closed and points awarded, but I opened up another one related to where this thread was going...

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_26411645.html

cheers!
0
 

Expert Comment

by:kenm0818
ID: 38483336
Have a similar issue, and it doesn't matter if you're using RRI or not...If the SA's time out, then the only way to re-establish the VPN  (configured wity a dynamic VPN map at the head end) is to initiate some interesting traffic at the remote end.

A simple way to do this is have the remote end do a sntp/ntp time request to a ttime source at the head end (or beyond) on a fequency that is a bit less than the SA life-time value specified at the remote end.   That time request traffic need to be included in the remoet ends definition of "interesting traffic".

We do this for 380+ remote VPN sites.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now