topic Re: SXP session issue between Swith and ASA in Network Access Control

SXP session issue between Switch and ASA

saurabhdhakate007 — Thu, 14 May 2020 15:57:51 GMT

Hi Everyone,

I am trying to form a SXP sesstion between ASA and WS-C3850-12S-S switch .

Commands on switch :

cts sxp enable
cts sxp default source-ip 10.100.8.22
cts sxp default password testing
cts sxp connection peer 10.10.8.1 source 10.100.8.22 password default mode local speaker hold-time 0

----------------------------------------------------------------------------------------

Commands on ASA:

cts sxp enable
cts sxp default password testing
cts sxp default source-ip 10.100.8.1
cts sxp connection peer 10.100.8.22 source 10.100.8.1 password default mode local listener

------------------------------------------------------------------------------------

But the connection status is still off as shown below

Sw(config)#do sh cts sxp conn
SXP : Enabled
Highest Version Supported: 4
Default Password : Set
Default Source IP: 10.100.8.22
Connection retry open period: 120 secs
Reconcile period: 120 secs
Retry open timer is running
Peer-Sequence traverse limit for export: Not Set
Peer-Sequence traverse limit for import: Not Set
----------------------------------------------
Peer IP : 10.10.8.1
Source IP : 10.100.8.22
Conn status : Off
Conn version : 4
Local mode : SXP Speaker
Connection inst# : 1
TCP conn fd : -1
TCP conn password: default SXP password
Duration since last state change: 0:00:01:02 (dd:hr:mm:sec)

---------------------------------------------------------------------------------

Below are the log messages which it shows .

*Feb 18 19:56:07.347: CTS-SXP-CONN:sxp_process_message_event = CTS_SXPMSG_REQUES T
*Feb 18 19:56:07.348: CTS-SXP-CONN:sxp_process_request CTS_SXPMSG_REQ_SHOWCONN
*Feb 18 19:56:07.348: CTS-SXP-INTNL:sxp_conn_wavl_cmp_tableid tableid1 0x0, tabl eid2 0x0, ip1 10.10.8.1, ip2 0.0.0.0 conn_mode1 1 conn_mode2 1

*Feb 18 19:56:07.348: CTS-SXP-INTNL:sxp_get_next_conn_by_tableid conn:0x3DCB197C , peer ip:10.10.8.1, tableid:0x0

*Feb 18 19:56:07.348: CTS-SXP-INTNL:sxp_conn_wavl_cmp_tableid tableid1 0x0, tabl eid2 0x0, ip1 10.10.8.1, ip2 10.10.8.1 conn_mode1 1 conn_mode2 1

*Feb 18 19:56:07.348: CTS-SXP-INTNL:sxp_get_next_conn_by_tableid conn:0x0, peer ip:0.0.0.0, tableid:0x0

*Feb 18 19:56:07.348: CTS-SXP-INTNL:cdb_get_next_entry
*Feb 18 19:56:07.348: CTS-SXP-INTNL:cdb_get_next_entry
*Feb 18 19:56:07.348: CTS-SXP-INTNL:sxp_process_request boolean set

*Feb 18 19:56:07.348: CTS-SXP-INTNL:sxp_send_request set boolean after

*Feb 18 19:56:16.998: CTS-SXP-CONN:is_cts_sxp_rf_active
*Feb 18 19:56:16.999: CTS-SXP-CONN:ph_retry_open_timer
*Feb 18 19:56:16.999: CTS-SXP-CONN:ph_retry_open_timer retry timer stopped
*Feb 18 19:56:16.999: CTS-SXP-INTNL:cdb_get_next_entry
*Feb 18 19:56:16.999: CTS-SXP-CONN:retry conn setup; conn index = 1
*Feb 18 19:56:16.999: CTS-SXP-CONN:sh_re_setup_conn conn_index = 1
*Feb 18 19:56:16.999: CTS-SXP-CONN:conn_cleanup <-1>
*Feb 18 19:56:16.999: sxp_calc_src_ip cfg src: 10.100.8.22, def src: 10.100.8.22 calc src: 10.100.8.22 vrf:, tableid:0x0
*Feb 18 19:56:16.999: CTS-SXP-CONN:sxp_socket_open vrf:, tablied:0x0 src_ip = 10.100.8.22
*Feb 18 19:56:16.999: CTS-SXP-CONN:SXP SCM: socket open fd = 1, src_ip = 10.100.8.22
*Feb 18 19:56:17.002: CTS-SXP-CONN:ph_send_open <1> fd: 1, <10.10.8.1, 10.100.8.22>
*Feb 18 19:56:17.002: CTS-SXP-INTNL:sxp_fd_hash_table_entry_find cdbp 1, <10.10.8.1, 10.100.8.22>
*Feb 18 19:56:17.002: CTS-SXP-CONN:get_conn_passwd_info <10.10.8.1, 10.100.8.22>
*Feb 18 19:56:17.002: CTS-SXP-CONN:sxp_socket_upd_md5_option <10.10.8.1, 10.100.8.22>
*Feb 18 19:56:17.002: CTS-SXP-CONN:SXP SCM: socket_connect result:-1, fd:1;errno = 265, No route to host, <10.10.8.1, 10.100.8.22>
*Feb 18 19:56:17.002: CTS-SXP-ERR:SXP SCM: socket_connect failed
*Feb 18 19:56:17.002: CTS-SXP-CONN:conn_cleanup <1>
*Feb 18 19:56:17.002: CTS-SXP-INTNL:sxp_fd_hash_table_entry_find cdbp 1, <10.10.8.1, 10.100.8.22>
*Feb 18 19:56:17.002: CTS-SXP-INTNL:sxp_fd_hash_table_entry_find cdbp 1, <10.10.8.1, 10.100.8.22>
*Feb 18 19:56:17.002: CTS-SXP-CONN:free_conn_buffers, <10.10.8.1, 10.100.8.22>
*Feb 18 19:56:17.003: CTS-SXP-CONN:conn_cleanup retry timer started
*Feb 18 19:56:17.003: CTS-SXP-INTNL:cdb_get_next_entry
*Feb 18 19:56:17.003: CTS-SXP-CONN:ph_retry_open_timer retry timer started
*Feb 18 19:57:11.925: CTS-SXP-CONN:Received invalid DIRECT_EVENT
*Feb 18 19:57:11.927: CTS-SXP-CONN:Received invalid DIRECT_EVENT
*Feb 18 19:57:11.928: CTS-SXP-CONN:is_cts_sxp_rf_active
*Feb 18 19:57:11.928: CTS-SXP-INTNL:sxp_fd_hash_table_entry_find cdbp 0, <0.0.0.0, 0.0.0.0>
*Feb 18 19:57:11.928: CTS-SXP-ERR:conn index out of range, ci=-1
*Feb 18 19:57:11.928: CTS-SXP-CONN:Received Socket event; sock_ev = 1 fd: 0, <0.0.0.0, 0.0.0.0>
*Feb 18 19:57:11.928: CTS-SXP-CONN:scm_handle_accept_sock <0>
*Feb 18 19:57:11.928: CTS-SXP-CONN:sxp_cfg_wavl_cmp_vrfname vrf name1 , vrf name2 , ip1 10.10.8.1, ip2 10.100.8.1 conn mode1 1, conn_mode2 1

*Feb 18 19:57:11.928: CTS-SXP-INTNL:sxp_cfg_wavl_cmp_vrfname vrf name1 , vrf name2 , ip1 10.10.8.1, ip2 10.100.8.1 conn mode1 1,conn_mode2 1

*Feb 18 19:57:11.928: CTS-SXP-CONN:sxp_cfg_wavl_cmp_vrfname vrf name1 , vrf name2 , ip1 10.10.8.1, ip2 10.100.8.1 conn mode1 1, conn_mode2 2

*Feb 18 19:57:11.928: CTS-SXP-INTNL:sxp_cfg_wavl_cmp_vrfname vrf name1 , vrf name2 , ip1 10.10.8.1, ip2 10.100.8.1 conn mode1 1,conn_mode2 2

*Feb 18 19:57:11.928: CTS-SXP-ERR:SXP SCM: configuration error: <10.100.8.1, 10.100.8.22> fd = 1 cfg:0x0, conndb:0x0

Can anyone figure out anything from this?

Re: SXP session issue between Swith and ASA

saurabhdhakate007 — Mon, 18 Feb 2019 20:06:48 GMT

*Feb 18 20:11:49.637: CTS-SXP-CONN:sxp_process_message_event = CTS_SXPMSG_REQUEST
*Feb 18 20:11:49.637: CTS-SXP-CONN:sxp_process_request CTS_SXPMSG_REQ_SHOWCONN
*Feb 18 20:11:49.637: CTS-SXP-INTNL:sxp_conn_wavl_cmp_tableid tableid1 0x0, tableid2 0x0, ip1 10.10.8.1, ip2 0.0.0.0 conn_mode1 1 conn_mode2 1

*Feb 18 20:11:49.637: CTS-SXP-INTNL:sxp_get_next_conn_by_tableid conn:0x3DCB197C, peer ip:10.10.8.1, tableid:0x0

*Feb 18 20:11:49.637: CTS-SXP-INTNL:sxp_conn_wavl_cmp_tableid tableid1 0x0, tableid2 0x0, ip1 10.10.8.1, ip2 10.10.8.1 conn_mode1 1 conn_mode2 1

*Feb 18 20:11:49.637: CTS-SXP-INTNL:sxp_get_next_conn_by_tableid conn:0x0, peer ip:0.0.0.0, tableid:0x0

*Feb 18 20:11:49.637: CTS-SXP-INTNL:cdb_get_next_entry
*Feb 18 20:11:49.637: CTS-SXP-INTNL:cdb_get_next_entry
*Feb 18 20:11:49.637: CTS-SXP-INTNL:sxp_process_request boolean set

*Feb 18 20:11:49.638: CTS-SXP-INTNL:sxp_send_request set boolean after

*Feb 18 20:12:16.998: CTS-SXP-CONN:is_cts_sxp_rf_active
*Feb 18 20:12:16.998: CTS-SXP-CONN:ph_retry_open_timer
*Feb 18 20:12:16.998: CTS-SXP-CONN:ph_retry_open_timer retry timer stopped
*Feb 18 20:12:16.998: CTS-SXP-INTNL:cdb_get_next_entry
*Feb 18 20:12:16.998: CTS-SXP-CONN:retry conn setup; conn index = 1
*Feb 18 20:12:16.998: CTS-SXP-CONN:sh_re_setup_conn conn_index = 1
*Feb 18 20:12:16.998: CTS-SXP-CONN:conn_cleanup <-1>
*Feb 18 20:12:16.998: sxp_calc_src_ip cfg src: 10.100.8.22, def src: 10.100.8.22 calc src: 10.100.8.22 vrf:, tableid:0x0
*Feb 18 20:12:16.998: CTS-SXP-CONN:sxp_socket_open vrf:, tablied:0x0 src_ip = 10.100.8.22
*Feb 18 20:12:16.999: CTS-SXP-CONN:SXP SCM: socket open fd = 1, src_ip = 10.100.8.22
*Feb 18 20:12:17.001: CTS-SXP-CONN:ph_send_open <1> fd: 1, <10.10.8.1, 10.100.8.22>
*Feb 18 20:12:17.002: CTS-SXP-INTNL:sxp_fd_hash_table_entry_find cdbp 1, <10.10.8.1, 10.100.8.22>
*Feb 18 20:12:17.002: CTS-SXP-CONN:get_conn_passwd_info <10.10.8.1, 10.100.8.22>
*Feb 18 20:12:17.002: CTS-SXP-CONN:sxp_socket_upd_md5_option <10.10.8.1, 10.100.8.22>
*Feb 18 20:12:17.002: CTS-SXP-CONN:SXP SCM: socket_connect result:-1, fd:1;errno = 265, No route to host, <10.10.8.1, 10.100.8.22>
*Feb 18 20:12:17.002: CTS-SXP-ERR:SXP SCM: socket_connect failed
*Feb 18 20:12:17.002: CTS-SXP-CONN:conn_cleanup <1>
*Feb 18 20:12:17.002: CTS-SXP-INTNL:sxp_fd_hash_table_entry_find cdbp 1, <10.10.8.1, 10.100.8.22>
*Feb 18 20:12:17.002: CTS-SXP-INTNL:sxp_fd_hash_table_entry_find cdbp 1, <10.10.8.1, 10.100.8.22>
*Feb 18 20:12:17.002: CTS-SXP-CONN:free_conn_buffers, <10.10.8.1, 10.100.8.22>
*Feb 18 20:12:17.002: CTS-SXP-CONN:conn_cleanup retry timer started
*Feb 18 20:12:17.002: CTS-SXP-INTNL:cdb_get_next_entry
*Feb 18 20:12:17.002: CTS-SXP-CONN:ph_retry_open_timer retry timer started
*Feb 18 20:13:11.986: CTS-SXP-CONN:Received invalid DIRECT_EVENT
*Feb 18 20:13:11.988: CTS-SXP-CONN:Received invalid DIRECT_EVENT
*Feb 18 20:13:11.988: CTS-SXP-CONN:is_cts_sxp_rf_active
*Feb 18 20:13:11.989: CTS-SXP-INTNL:sxp_fd_hash_table_entry_find cdbp 0, <0.0.0.0, 0.0.0.0>
*Feb 18 20:13:11.989: CTS-SXP-ERR:conn index out of range, ci=-1
*Feb 18 20:13:11.989: CTS-SXP-CONN:Received Socket event; sock_ev = 1 fd: 0, <0.0.0.0, 0.0.0.0>
*Feb 18 20:13:11.989: CTS-SXP-CONN:scm_handle_accept_sock <0>
*Feb 18 20:13:11.989: CTS-SXP-CONN:sxp_cfg_wavl_cmp_vrfname vrf name1 , vrf name2 , ip1 10.10.8.1, ip2 10.100.8.1 conn mode1 1, conn_mode2 1

*Feb 18 20:13:11.989: CTS-SXP-INTNL:sxp_cfg_wavl_cmp_vrfname vrf name1 , vrf name2 , ip1 10.10.8.1, ip2 10.100.8.1 conn mode1 1,conn_mode2 1

*Feb 18 20:13:11.989: CTS-SXP-CONN:sxp_cfg_wavl_cmp_vrfname vrf name1 , vrf name2 , ip1 10.10.8.1, ip2 10.100.8.1 conn mode1 1, conn_mode2 2

*Feb 18 20:13:11.989: CTS-SXP-INTNL:sxp_cfg_wavl_cmp_vrfname vrf name1 , vrf name2 , ip1 10.10.8.1, ip2 10.100.8.1 conn mode1 1,conn_mode2 2

*Feb 18 20:13:11.989: CTS-SXP-ERR:SXP SCM: configuration error: <10.100.8.1, 10.100.8.22> fd = 1 cfg:0x0, conndb:0x0
*Feb 18 20:13:11.989: CTS-SXP-CONN:Received invalid DIRECT_EVENT
*Feb 18 20:14:16.998: CTS-SXP-CONN:is_cts_sxp_rf_active
*Feb 18 20:14:16.998: CTS-SXP-CONN:ph_retry_open_timer
*Feb 18 20:14:16.998: CTS-SXP-CONN:ph_retry_open_timer retry timer stopped
*Feb 18 20:14:16.998: CTS-SXP-INTNL:cdb_get_next_entry
*Feb 18 20:14:16.998: CTS-SXP-CONN:retry conn setup; conn index = 1
*Feb 18 20:14:16.998: CTS-SXP-CONN:sh_re_setup_conn conn_index = 1
*Feb 18 20:14:16.998: CTS-SXP-CONN:conn_cleanup <-1>
*Feb 18 20:14:16.998: sxp_calc_src_ip cfg src: 10.100.8.22, def src: 10.100.8.22 calc src: 10.100.8.22 vrf:, tableid:0x0
*Feb 18 20:14:16.998: CTS-SXP-CONN:sxp_socket_open vrf:, tablied:0x0 src_ip = 10.100.8.22
*Feb 18 20:14:16.999: CTS-SXP-CONN:SXP SCM: socket open fd = 1, src_ip = 10.100.8.22
*Feb 18 20:14:17.002: CTS-SXP-CONN:ph_send_open <1> fd: 1, <10.10.8.1, 10.100.8.22>
*Feb 18 20:14:17.002: CTS-SXP-INTNL:sxp_fd_hash_table_entry_find cdbp 1, <10.10.8.1, 10.100.8.22>
*Feb 18 20:14:17.002: CTS-SXP-CONN:get_conn_passwd_info <10.10.8.1, 10.100.8.22>
*Feb 18 20:14:17.002: CTS-SXP-CONN:sxp_socket_upd_md5_option <10.10.8.1, 10.100.8.22>
*Feb 18 20:14:17.002: CTS-SXP-CONN:SXP SCM: socket_connect result:-1, fd:1;errno = 265, No route to host, <10.10.8.1, 10.100.8.22>
*Feb 18 20:14:17.002: CTS-SXP-ERR:SXP SCM: socket_connect failed
*Feb 18 20:14:17.002: CTS-SXP-CONN:conn_cleanup <1>
*Feb 18 20:14:17.002: CTS-SXP-INTNL:sxp_fd_hash_table_entry_find cdbp 1, <10.10.8.1, 10.100.8.22>
*Feb 18 20:14:17.002: CTS-SXP-INTNL:sxp_fd_hash_table_entry_find cdbp 1, <10.10.8.1, 10.100.8.22>
*Feb 18 20:14:17.002: CTS-SXP-CONN:free_conn_buffers, <10.10.8.1, 10.100.8.22>
*Feb 18 20:14:17.002: CTS-SXP-CONN:conn_cleanup retry timer started
*Feb 18 20:14:17.002: CTS-SXP-INTNL:cdb_get_next_entry
*Feb 18 20:14:17.002: CTS-SXP-CONN:ph_retry_open_timer retry timer started

Re: SXP session issue between Swith and ASA

Damien Miller — Mon, 18 Feb 2019 20:14:10 GMT

Try removing the cts sxp default source-ip command from both sides, the connection statement will handle that. From the outputs, the switch is using the default source IP, but your connection is configured for 10.100.8.128 source. There is also this log which I would follow up on to confirm you have reachability, check your 10.100.8.128 interface is up and active, remove the default IP if it continues trying to use 10.100.8.22.
"*Feb 18 19:56:17.002: CTS-SXP-CONN:SXP SCM: socket_connect result:-1, fd:1;errno = 265, No route to host, <10.10.8.1, 10.100.8.22>"

In my lab I use a very simple two lines for SXP between my ASA to do exactly what you are trying, no default IP required. You can keep the password, I just didn't bother.
switchx#sh run | inc cts
cts sxp enable
cts sxp connection peer 10.0.1.2 source 10.0.0.1 password none mode local speaker hold-time 0

ASA
ASA# sh run | inc cts
cts sxp enable
cts sxp connection peer 10.0.0.1 source 10.0.1.2 password none mode local listener

Re: SXP session issue between Swith and ASA

saurabhdhakate007 — Tue, 19 Feb 2019 07:04:30 GMT

Hey Damien,

Apologies , it was my typo . I tried to change the IP's for confidentiality .

It is 10.100.8.1 as it should be.

I do this all the time and it does not give me any issue at all . Its just this time I enabled it on ASA first , rather than Switch . Does it really make any difference?

I have tried disabling and reenabling it , shut and no shut SVI of the switch , clearing cts sxp config from both ends and reconfiguring them, finally reloading the Swith as well as ASA and it did not come out.

Can you please share me any documents which guides about best practise in SXP , if you have any?

Your help is hightly appreciated .

Thanks ,

Saurabh Dhakate

Re: SXP session issue between Swith and ASA

hslai — Tue, 19 Feb 2019 14:36:14 GMT

Perhaps the SXP connections not permitted. See TrustSec Troubleshooting Guide

Other TrustSec resources at Segmentation & Group-Based Policy Resou... - Cisco Community

Re: SXP session issue between Swith and ASA

Damien Miller — Tue, 19 Feb 2019 19:26:06 GMT

This doc is also quite relevant.

https://www.cisco.com/c/dam/en/us/solutions/collateral/borderless-networks/trustsec/C07-730151-00_overview_of_trustSec_og.pdf

Re: SXP session issue between Swith and ASA

kerstin-534 — Wed, 13 May 2020 14:49:36 GMT

Have you solved this ? We have a problem SXP problem with ASA and IOS-XE too

Re: SXP session issue between Swith and ASA

poongarg — Wed, 13 May 2020 15:32:32 GMT

As per the logs, it looks like the routing issue on switch:

*Feb 18 19:56:17.002: CTS-SXP-CONN:sxp_socket_upd_md5_option <10.10.8.1, 10.100.8.22>
*Feb 18 19:56:17.002: CTS-SXP-CONN:SXP SCM: socket_connect result:-1, fd:1;errno = 265, No route to host, <10.10.8.1, 10.100.8.22>
*Feb 18 19:56:17.002: CTS-SXP-ERR:SXP SCM: socket_connect failed

Re: SXP session issue between Swith and ASA

Saurabh Dhakate — Thu, 14 May 2020 16:46:05 GMT

I remember that's the first thing which I had tested. Both peers were pingable to each other bidirectionally. Thanks!

Re: SXP session issue between Swith and ASA

thomas — Sun, 17 May 2020 00:29:48 GMT

The authoritative guide for switch to ASA would be the TrustSec User to Data Center Access Control Design Guide.

Find others at http://cs.co/ise-guides#TrustSec