cisco ios 12.4 ipsec / reverse route injection

This is question re maintenance of the static routes that are dynamically inserted when we have the "REVERSE ROUTE" configuration in the dynamic crypto map.

IOS version - c1700-advsecurityk9-mz-124-17a.bin

VPN clients - Cisco vpn clients v4.6

the expected behaviour is that the static route to the IP address that is 'leased' by the vpn client by way of "ip local pool' configuration via the (public) IP address of the vpn client would be removed when the IPSEC SA is torn down or timed out by the IOS vpn server.

the observed behaviour is that instead of any of these routes being removed, another route to the leased IP address is added via the public address of the next VPN client that leases that IP address such that a sample of the output from 'show ip route' gives us; [1/0] via via ....... [1/0] via via via ....

etc for all the IP addresses in the local pool.

this is even though the destination IP addr is freed from the IP pool, and the IPsec SA should no longer be valid.

what may be relevant is that while "show crypto ipsec sa" does not list any indication of the SA to what are not valid ipsec peers, the "show crypto ipsec sa address" seem to retain some memory of the public IP's of the peers.

it is these that are inserted into the routing table, persistently even if i "clear ip route A.B.C.D"

Help in this will be gladly received.

Reply to
Graham Turner
Loading thread data ... Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.