[c-nsp] Site to Site VPN

Florin Florian florin.florian at gmail.com
Mon Aug 9 09:27:19 EDT 2010


Hi,

When the best path to the tunnel destination is via the tunnel itself,
recursive routing causes the tunnel interface to flap. To avoid recursive
routing problem, use static routes to override the first hop.

You can add a static route at the remote site to the corporate peer via the
Internet gateway. This route will be more specific then the learned network
route so it took precedence and the tunnel will be stable.

Good luck !

fflorin

On Mon, Aug 9, 2010 at 6:40 AM, Mohammad Khalil <eng_mssk at hotmail.com>wrote:

>
> hey man
>
> thanks for the response
> now man i have another issue is that the show crypto isakmp sa is showing
> that the tunnel is up QM_IDLE
> but i cannot ping the other side and it was working normally
> and i see in the log message that there is "it is temporarly disabled due
> to recursive routing"
>
> Date: Mon, 9 Aug 2010 11:42:05 +0200
> From: jan.gregor at chronix.org
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Site to Site VPN
>
> Hi,
>
> > what is the possible solution to solve this issue ?
> > IKE message from x.x.x.x has no SA and is not an initialization offer
>
> Probably reset of VPN on the other side. This message is commonly seen a
> when one side of vpn reloads. The other side just does not know that
> association is not valid any more.
> If this is persistent problem and the VPN cannot establish itself, then
> capture some debugs a sent them in, just this error message is not
> sufficient to draw any conclusions. Otherwise just ignore it, it is
> correct behaviour.
>
> Best regards,
>
> Jan
>
>
>  _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list