Hi all,
posted a while back on issues of 'reverse routes' not being removed from an IOS (12.4) routing table, and no reply back so please help !
This is question re maintenance of the static routes that are dynamically inserted when we have the "REVERSE ROUTE" configuration in the dynamic crypto map.
IOS version - c1700-advsecurityk9-mz-124-17a.bin
VPN clients - Cisco vpn clients v4.6
the expected behaviour is that the static route to the IP address that is 'leased' by the vpn client by way of "ip local pool' configuration via the (public) IP address of the vpn client would be removed when the IPSEC SA is torn down or timed out by the IOS vpn server.
the observed behaviour is that instead of any of these routes being removed, another route to the leased IP address is added via the public address of the next VPN client that leases that IP address such that a sample of the output from 'show ip route' gives us;
192.168.2.10 [1/0] via 86.145.45.34 via 86.140.228.10 .......192.168.2.8 [1/0] via 87.56.23.34 via 78.56.42.34 via 89.34.62.23 ....
etc for all the IP addresses in the local pool.
this is even though the destination IP addr is freed from the IP pool, and the IPsec SA should no longer be valid.
Help in this will be gladly received.