Alternate to RRI

Posted on 2010-08-17
Last Modified: 2012-10-10
I am currently trying to advertise routes to our VPN connected sites using EIGRP on our 55xx firewalls. For most sites RRI is our first option since it provides the most dynamic routing in the event of a failover for the remote sites.
The problem is that some of our remote sites are not manned and its my understanding that if the tunnel drops after a certain time the reverse route will drop and routing will not come back up unless initiated by the remote side.
I am looking for something more permanent, other than a static route on the local router, that will "hold" this route in place in case the VPN needs to be brought up from the local side.
Our goal is removal of all static routes on the internal LAN.
Question by:jasonbranch10
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +1
LVL 17

Expert Comment

ID: 33458089
RRI should work fine. I guess you use this on the hub site? That means that there is always a static route inserted (and probably redistributed) pointing out tne network(s) at the remote site. Is this full L2L-tunnels with static ip (set peer in hub sites crypto map)? Then either end can initiate the tunnel and the tunnel will go up and down automatically. Anyway, the static route inserted with the reverse-route should never disappear. Does it?

Anyway, there are not many options in ASA compared to IOS-routers. It is more flexible and dynamic to use GRE-tunnels in which you can run your eigrp-routing thru the vpn, but that is not an option with ASA.

Sorry, I dont really understand your problem. It is probably me but can you please expand your question?


Author Comment

ID: 33458828
Actually you seem to have a pretty good grasp of it.

this is the hub site we are talking about.

 I was under the impression that if the VPN went down so would the route which added to the flexiblity and ease of failover to a different head-end server. If thats not the case and the route is always there , that kinda throws a wrench in my failover plans but atleast I know the remote site will always be accessible no matter who initiates the connection.
LVL 18

Accepted Solution

decoleur earned 500 total points
ID: 33458910
Hello jasonbranch10,

If you have the remote router participating in the EIGRP routing process then they should have interesting traffic that keeps the tunnels from going down. If you want another method to generate interesting traffic from the remote sites to the main site to keep the tunnels up i have seen "sla monitor" used with good effect. See for a description of the method.

Really all you need to do is set up something like this:

sla monitor 123
 type echo protocol ipIcmpEcho interface outside !--- use an address the firewall can ping that is inside the hub
 num-packets 3
 frequency 10 !--- I would change this to 30

!--- Configure a new monitoring process with the ID 123.  Specify the
!--- monitoring protocol and the target network object whose availability the tracking
!--- process monitors.  Specify the number of packets to be sent with each poll.
!--- Specify the rate at which the monitor process repeats (in seconds).

sla monitor schedule 123 life forever start-time now

!--- Schedule the monitoring process.  In this case the lifetime
!--- of the process is specified to be forever.  The process is scheduled to begin
!--- at the time this command is entered.  As configured, this command allows the
!--- monitoring configuration specified above to determine how often the testing
!--- occurs.  However, you can schedule this monitoring process to begin in the
!--- future and to only occur at specified times.

hope this helps,

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 33459005
I don't necessarily need the tunnel to stay up...just for the route to be there from an eigrp perspective.

The remote sites are not participating in eigrp.
LVL 18

Expert Comment

ID: 33459099
it is my understanding that the dynamic route will only be available as long as the tunnel is up, to have the route you will need the tunnel.

Author Comment

ID: 33459177
that was my understanding as its either a static on the router...RRI without traffic to keep it up so you lose the route once it drops.... or RRI with an SLA to keep the route in place and the VPN up which would still function properly in the case of a hard outage (hardware or circuit) in which case it would fail to the DR site.
LVL 17

Expert Comment

ID: 33461396
RRI is static, it will not disappear when the tunnel is down.

I think we have some confusions here. We are talking about 2 different scenarios:

1) routing protocol traffic thru tunnel. If you do that the EIGRP updates will keep the tunnel up and the routes will always be there. This is by far the most effective way to do it. However, this is not supported on ASA since crypto maps cannot handle multicast/broadcast traffic.

2) RRI. This is a local thing in each router. Since there is no automatic way to distribute what exists on the remote end of the vpn tunnel all reverse-route does is to look in the crypto access-list and create a static route local in the router/firewall based on the remote networks specified in the proxy acl. They will always be there, there is no way for RRI to "know" if the tunnel is up or down. Since they are only created as static routes you then need to redistribute static routes as needed in your local routing protocol.

Of course SLA can be configured to keep the tunnel always up if needed, but that is not needed to make RRI work.


Author Comment

ID: 33464759

I confirmed your point this morning. We currently have a backup VPN configured to one of our sites and even though the tunnel is down the routes are still being advertised out of the ASA.

So my question now is what is the difference between RRI and just redistributing the static routes themselves?

A cleaner approach?
LVL 18

Expert Comment

ID: 33464886
I offer that it is a question of the function of the approach. RRI can be used in 4 different use cases from lan to lan to a client rri or nem where the remote address space is not known.

both RRI and static routes add routes into the local routing table to be redistributed in the case of RRI it is the result of inference, static is just that, static.

this has been a good thread to follow, thanks for the question!

LVL 17

Expert Comment

ID: 33465386
There is no difference in functionality.

The most common scenario is that VPN is done over internet to which you already have a default route. If that is the case you dont have to care at all.

RRI is just a way to say "whatever is at the remote end of the tunnel should be statically routed to the interface where the crypto map is". If you change your VPN acl you dont have to modify your static routes manually, it is taken care of with RRI. If you (for som weird reason) move the crypto map to another interface, RRI will automatically modify the routes.

But the most important things:
1) RRI-injected static routes remains until the crypto map is reconfigured.
2) If you already have a default route pointing towards the interface where your crypto map is applied you dont have to use RRI.
3) You must redistribute statics into routing protocol if you need to "spread the word" about the remote networks. Same thing here, if you already have a default route pointing to your ASA in your inside environment you dont have to redistribute statics about the remote networks since they are part of the default route and in the same direction.

Good luck!
(I would appreciate some points, but maybe it is to late for that?)

LVL 18

Expert Comment

ID: 33465554

the question is closed and points awarded, but I opened up another one related to where this thread was going...


Expert Comment

ID: 38483336
Have a similar issue, and it doesn't matter if you're using RRI or not...If the SA's time out, then the only way to re-establish the VPN  (configured wity a dynamic VPN map at the head end) is to initiate some interesting traffic at the remote end.

A simple way to do this is have the remote end do a sntp/ntp time request to a ttime source at the head end (or beyond) on a fequency that is a bit less than the SA life-time value specified at the remote end.   That time request traffic need to be included in the remoet ends definition of "interesting traffic".

We do this for 380+ remote VPN sites.

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question