topic Re: FIREPOWER 2130 EIGRP in Network Security

FIREPOWER 2130 EIGRP

bayela001 — Tue, 12 Mar 2019 14:01:40 GMT

Hi,

I'd like to know if the last firepower 2130 OS is EIGRP compatible nativly or only using Flexconfig ?

If it is not native can we have an ASA OS on an firepower appliance ?

strange question I know but EIGRP is absolutely needed by my customer ...

Thks for help 🙂

regards

Re: FIREPOWER 2130 EIGRP

dejan_jov1 — Fri, 12 Oct 2018 08:24:47 GMT

Hi,

the EIGRP is still only possible over FlexConfig to configure:

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/flexconfig_policies.html

Yes, you can run an ASA OS on 2100 Firepower:

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/fp2100/asa-2100-gsg/getting-started.html

regards

Re: FIREPOWER 2130 EIGRP

Marvin Rhoads — Fri, 12 Oct 2018 13:41:43 GMT

For a Firepower appliance running FTD you can only configure EIGRP via using FlexConfig. Note that it is limited to being an EIGRP stub. Other than that it works fine.

You can run ASA OS on a Firepower appliance and configure EIGRP. However if you do you will NOT be able to run a Firepower service module - only the base ASA.

Re: FIREPOWER 2130 EIGRP

rhuysmans — Sat, 06 Apr 2019 06:20:32 GMT

Hello,

I'm having problems with getting EIGRP working on a FPR2120.

I've configured it using Flexconfig and when looking at the running-config, ie show running-config router eigrp, I can see that the configuration has been applied to the firewall.

> show running-config router eigrp
router eigrp 13
eigrp router-id 10.57.63.201
eigrp stub static redistributed
network 192.168.6.0 255.255.255.0
network 10.57.47.0 255.255.255.224
network 172.17.48.0 255.255.255.192
network 10.57.48.0 255.255.255.0
network 10.57.49.0 255.255.255.0
network 10.57.56.0 255.255.255.192
network 10.57.56.96 255.255.255.224
network 10.57.63.200 255.255.255.248
network 10.57.63.216 255.255.255.248
network 10.57.63.248 255.255.255.248

However, looking at the routing tables, I don't see any EIGRP routes and only the static, connected, routes.

Is there something else that's required to kick off the EIGRP routing? The previous ASA5515 that the 2120 is replacing has had no problems at all.

Much appreciated

Re: FIREPOWER 2130 EIGRP

Marvin Rhoads — Sun, 07 Apr 2019 13:15:00 GMT

There's nothing special that needs to be added above and beyond what your configuration has. Have you checked the interfaces on the expected peers to confirm they match up?

You could do a capture on one of the expected peering interfaces and see the eigrp packets and possibly determine why peering adjacency isn't establishing.

Re: FIREPOWER 2130 EIGRP

rhuysmans — Tue, 09 Apr 2019 03:45:33 GMT

Hi Marvin,

thanks for the information. I was given access to the L3 switch, that the
new 2120s connect to, and can see that EIGRP authentication has been
configured on it. I was thinking, great, no problems, I'll configure
authentication using the Flexconfig and all will be well.
I did configure the authentication on the 2120, and it matches the L3
switch identically, however on both devices I am getting authentication
errors (code 5). I have tried everything, different Flexconfig approaches,
new key-chains on the L3 switch but the two devices will not talk
together. I did remove the authentication and EIGRP works. The 2120
receives all the routes and it's good. Put authentication back on and the
Code 5 error msg appears. When I put the old firewall (5515) back in then
EIGRP pops up no problems. It uses the EIGRP authentication as well and
has been working for years.

To me it seems like a bug with 6.3.0.2. Because the FPR2120 is brand new
with only warranty so far I can't raise a TAC case.

Have you seen this type of problem before?

Many thanks for your assistance.

Re: FIREPOWER 2130 EIGRP

Marvin Rhoads — Fri, 12 Apr 2019 05:58:27 GMT

I've not done EIGRP authentication on any of my deployments.

Have you checked the running-config section specific to authentication ("show running-config authentication") to validate that your Flexconfig is pushing what you want? You should have something like:

authentication key eigrp 10 cisco123 key-id 1 
authentication mode eigrp 10 md5

If that's confirmed there already, then I suspect a bug may indeed be the case.

Re: FIREPOWER 2130 EIGRP

rhuysmans — Fri, 12 Apr 2019 07:01:33 GMT

Thanks Marvin,

yes, I've checked the Flexconfig and it is pushing exactly what I need. I
believe that there's an issue with the Flexconfig "secret key" parameter
and how the router sees this. Also how the 2120 reads the router's 7
encrypted key as well, as both sides are displaying authentication errors.

I believe that this is a bug and will contact Cisco about it.

Many thanks for the support.

Re: FIREPOWER 2130 EIGRP

KeithCopeland — Thu, 27 Jun 2019 09:38:56 GMT

For anyone else having the same issue, I ran in to this also. After entering in the key in to the EirgpAuthKey text object, it wouldn't apply in the config, a default of "cisco123" was being applied.

What I had to do was edit the flexconfig object "Eigrp_Interface_Configure_1" I created, Click the "Insert" option and select "Insert Secret Key". This allows you to edit the value and enter in the correct key.

I was able to verify from the cli (via "system support diagnostic-cli")

more system:running-config | inc key eigrp

Re: FIREPOWER 2130 EIGRP

darflore — Thu, 17 Oct 2019 22:11:15 GMT

Hi Marvin, I don't think EIGRP on FTD is limited to stub only, it should be the same as ASA. Do you have any evidence?

Re: FIREPOWER 2130 EIGRP

cweinhold — Sun, 17 Nov 2019 17:11:50 GMT

I'd like to find out if EIGRP is limited to stub or not, too. The latest FMC 6.5 manual says:

Eigrp_Configure	Configures EIGRP routing next-hop, auto-summary, router-id, eigrp-stub.	eigrpAS, eigrpNetworks, eigrpDisableAutoSummary, eigrpRouterId, eigrpStubReceiveOnly, eigrpStubRedistributed, eigrpStubConnected, eigrpStubStatic, eigrpStubSummary
Eigrp_Interface_Configure	Configures EIGRP interface authentication mode, authentication key, hello interval, hold time, split horizon.	eigrpIntfList, eigrpAS, eigrpAuthKey, eigrpAuthKeyId, eigrpHelloInterval, eigrpHoldTime, eigrpDisableSplitHorizon Also uses the system variable SYS_FTD_ROUTED_INTF_MAP_LIST
Eigrp_Unconfigure	Clears EIGRP configuration for an autonomous system from the device.	—
Eigrp_Unconfigure_all	Clears all EIGRP configurations.	—

So it certainly can configure stub routing, but I'm not sure that means it's required.