We have several WR21’s that terminate to two Cisco ASAs using IPsec. One of the Cisco ASA’s is a primary unit and one is a backup unit.
Each WR21 has 4 IPsec ERoutes.
When the cellular signal is poor we end up with 1 or 2 of the Eroutes terminated to our primary ASA and the other ERoutes are terminated to our secondary ASA. This causes a routing problem as our routers aren’t sure where to send the traffic.
Is there a way to ensure that all the defined ERoutes get terminated to the same IKE peer and not split?
So if 1 Eroute terminates to our primary ASA then all the Eroutes will terminate to the primary? If one of the ERoutes fails on the primary then all the ERoutes will be terminated on the Backup ASA.
I think inhibitno and requireno parameters on the eroute command is what you are looking for.
http://ftp1.digi.com/support/documentation/90001019_K.pdf
Have a look in the the manual under the link. Is that what you are after?
I came across those settings before but I’m not sure how they behave.
For example if I have eRoutes B & C that are inhibited unless eRoute A is up would this prevent eRoute B from terminating on the backup unit if A is on the primary unit?
In other words would these settings ensure that the eRoutes land on the same IKE peer?
I also see a setting for “Tunnel this IPsec tunnel inside another tunnel” but I haven’t seen any documentation explaining what that does…
I ended up putting an inhibit on all the eroutes to keep them down unless the first eroute was up.
Another setting that I set was under IKE –> Advanced was to set the SA removal mode to Both so that the SA’s get removed when the tunnels are down.
We use remote route injection so that has issues with routing if we leave the SA’s up and the eroutes are down.