topic Re: Multiple context - EIGRP between shared interfaces in Network Security

Multiple context - EIGRP between shared interfaces

Rolando Valenzuela — Fri, 21 Feb 2020 14:56:27 GMT

Not sure if I should be posting on the firewall or routing section, but here it goes.

I have multiple routers and one firewalls with two context ruining on the same subnet with EIGRP enabled, everything is working between routers and firewalls, the problem is between the firewall itself, one context cannot see the other and I dont have idea of how to troubleshooting.

######## CONTEXT 1

interface Port-channel13.101
 nameif transit
 security-level 0
 ip address 10.10.101.36 255.255.255.0 standby 10.10.101.37
!
router eigrp 100
 eigrp router-id 10.10.101.36
 network 10.10.101.36 255.255.255.255
 passive-interface default
 no passive-interface transit
 redistribute connected

######## CONTEXT 2

interface Port-channel13.101
 nameif transit
 security-level 0
 ip address 10.10.101.38 255.255.255.0 standby 10.10.101.39
!
router eigrp 100
 eigrp router-id 10.10.101.38
 network 10.10.101.38 255.255.255.255
 passive-interface default
 no passive-interface transit
 redistribute connected
!

Re: Multiple context - EIGRP between shared interfaces

Bogdan Nita — Tue, 12 Dec 2017 11:05:32 GMT

It gather form your description that EIGRP neighborship between the contexts is not forming.

Following commands would be useful to further troubleshoot:

show eigrp neighbors
debug eigrp neighbors

You could also capture the EIGRP packets:

capture CAP match eigrp

Re: Multiple context - EIGRP between shared interfaces

Rolando Valenzuela — Tue, 12 Dec 2017 15:55:46 GMT

You are correct Bogdan,

The problem is between the contexts, in fact I tried all those commands before starting this thread, and I dont get anything on the debug.

The capture shows traffic going to the multicast address 224.0.0.10, but the source is never the other context 😞

Re: Multiple context - EIGRP between shared interfaces

Francesco Molino — Wed, 13 Dec 2017 02:21:50 GMT

Hi,

Don't have any physical boxes right now to do some tests only vm...

Have you tried using the neighbor command to force unicast messages instead of multicast?

Re: Multiple context - EIGRP between shared interfaces

Bogdan Nita — Wed, 13 Dec 2017 10:26:47 GMT

It seems that the eigrp hello messages from one context are not reaching the other.

Are you able to see the messages going out ?

According to your config I would expect to see on the first context eigrp hello messages sent form 10.10.101.36 to 224.0.0.10 and on the second context from 10.10.101.38 to 224.0.0.10.

Re: Multiple context - EIGRP between shared interfaces

Rolando Valenzuela — Wed, 13 Dec 2017 15:40:53 GMT

@Francesco Molino I haven't fully tested it. because when I tried that all the dynamic neighbors when down so I decided to play with that during non-businnes hours and I havent schedule the window.

@Bogdan Nita I do see the traffic going out form the context itself, I do not see the traffic of the other context tho.

kcinf-fw5585x/brazil# show capture CAP

5469 packets captured

   1: 09:54:06.475622       802.1Q vlan#101 P0 10.10.101.19 > 224.0.0.10: ip-proto-88, length 40
   2: 09:54:06.527804       802.1Q vlan#101 P0 10.10.101.38 > 224.0.0.10: ip-proto-88, length 40
   3: 09:54:06.648510       802.1Q vlan#101 P0 10.10.101.4 > 224.0.0.10: ip-proto-88, length 40
   4: 09:54:06.811206       802.1Q vlan#101 P0 10.10.101.17 > 224.0.0.10: ip-proto-88, length 40
   5: 09:54:07.253206       802.1Q vlan#101 P0 10.10.101.5 > 224.0.0.10: ip-proto-88, length 40
   6: 09:54:07.711221       802.1Q vlan#101 P0 10.10.101.30 > 224.0.0.10: ip-proto-88, length 40
   7: 09:54:09.157874       802.1Q vlan#101 P0 10.10.101.15 > 224.0.0.10: ip-proto-88, length 40
   8: 09:54:10.186239       802.1Q vlan#101 P0 10.10.101.8 > 224.0.0.10: ip-proto-88, length 40
   9: 09:54:11.093424       802.1Q vlan#101 P0 10.10.101.19 > 224.0.0.10: ip-proto-88, length 40
10: 09:54:11.153342       802.1Q vlan#101 P0 10.10.101.4 > 224.0.0.10: ip-proto-88, length 40
11: 09:54:11.427986       802.1Q vlan#101 P0 10.10.101.38 > 224.0.0.10: ip-proto-88, length 40
12: 09:54:11.439384       802.1Q vlan#101 P0 10.10.101.17 > 224.0.0.10: ip-proto-88, length 40

Re: Multiple context - EIGRP between shared interfaces

Bogdan Nita — Fri, 15 Dec 2017 11:10:23 GMT

Looks like you can't form adjacencies between contexts:

EIGRP instances cannot form adjacencies with each other across shared interfaces because inter-context exchange of multicast traffic is not supported.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/route_eigrp.html

Specifying the neighbors , as @Francesco Molino suggested will establish EIGRP neighbors using unicast and therefore should work.

I presume you are using Port-channel13.101 to connect to the routers as well, in which case you will need to specify all the neighbors.

Re: Multiple context - EIGRP between shared interfaces

Marvin Rhoads — Fri, 15 Dec 2017 13:28:16 GMT

Sorry, but "EIGRP instances cannot form adjacencies with each other across shared interfaces because inter-context exchange of multicast traffic is not supported."

The configuration guide mentions it here:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/route-eigrp.html#ID-2179-0000001b

Re: Multiple context - EIGRP between shared interfaces

Rolando Valenzuela — Tue, 19 Dec 2017 15:08:09 GMT

Very unfortunate 😞

Thanks for the information Marvin!!

Regards.

Rolando A. Valenzuela

Re: Multiple context - EIGRP between shared interfaces

Bogdan Nita — Tue, 19 Dec 2017 15:16:16 GMT

Did you try to use neighbor command ?

I think it should work, but I do not have a physical box to play with.

Re: Multiple context - EIGRP between shared interfaces

Rolando Valenzuela — Wed, 20 Dec 2017 19:57:43 GMT

They forced a freeze at work and I haven't been able to test, we are going to retire an old 5585 in a couple of days and lab it with it, but it will take time, what I'm doing is advertising a summary route from the router that is in the middle and that way both context can talk.

Rolando A. Valenzuela