https://community.cisco.com/t5/network-security/asa-interface-monitoring-in-waiting-state-with-rpf-enabled/m-p/4137933#M1073114 <P>Just to give you an update: We didn't test removal of OSPF-filter but urged customer to upgrade and test again. SW is from 2015, we assume a bug.</P> Wed, 19 Aug 2020 08:45:22 GMT klaus.kruse 2020-08-19T08:45:22Z https://community.cisco.com/t5/network-security/asa-interface-monitoring-in-waiting-state-with-rpf-enabled/m-p/4123415#M1072212 <P>Hello!</P><P>&nbsp;</P><P>I've a pair of ASA5585 running some dated version&nbsp;9.2(3)4 . It's a failover cluster and we use interface monitoring. I wondered that on secondary one monitored interface was in state "Normal (Waiting)". I did an ICMP packet trace and found this result:</P><P>&nbsp;</P><P>Result:<BR />input-interface: VPN<BR />input-status: up<BR />input-line-status: up<BR />output-interface: NP Identity Ifc<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (rpf-violated) Reverse-path verify failed</P><P>&nbsp;</P><P>After deactivating RPF, status went to "Normal (Monitored)". Then I activated RPF again and status keeps like this. Looks like a bug for me, but I haven't found the right one in bugsearch. Can anyone help?</P><P>&nbsp;</P><P>Kind regards</P><P>Klaus Kruse</P> Wed, 22 Jul 2020 09:50:49 GMT https://community.cisco.com/t5/network-security/asa-interface-monitoring-in-waiting-state-with-rpf-enabled/m-p/4123415#M1072212 klaus.kruse 2020-07-22T09:50:49Z https://community.cisco.com/t5/network-security/asa-interface-monitoring-in-waiting-state-with-rpf-enabled/m-p/4123465#M1072214 <P>Could you do a show running-config for the VPN interface and make sure that there is a standby IP configured for that interface?&nbsp; Usually when the interface is in Normal(Waiting) state it means that a standby IP has not yet been configured on that interface.</P> Wed, 22 Jul 2020 11:33:37 GMT https://community.cisco.com/t5/network-security/asa-interface-monitoring-in-waiting-state-with-rpf-enabled/m-p/4123465#M1072214 Marius Gunnerud 2020-07-22T11:33:37Z https://community.cisco.com/t5/network-security/asa-interface-monitoring-in-waiting-state-with-rpf-enabled/m-p/4123474#M1072217 <P>Hello <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/319690">@Marius Gunnerud</a>&nbsp;,</P><P>&nbsp;</P><P>Thanks for your suggestion, but standby IP is configured correctly:</P><P>&nbsp;</P><P>interface Port-channel1.100<BR />description VPN<BR />vlan 100<BR />nameif VPN<BR />security-level 60<BR />ip address 10.127.255.9 255.255.255.248 standby 10.127.255.10<BR />ospf database-filter all out</P><P>&nbsp;</P><P>I have this console log for reference:</P><P>&nbsp;</P><P><BR />ASA/act/pri# ping 10.127.255.10<BR />Type escape sequence to abort.<BR />Sending 5, 100-byte ICMP Echos to 10.127.255.10, timeout is 2 seconds:<BR />?????</P><P>ASA/act/pri# conf t</P><P>ASA/act/pri(config)# no ip verify reverse-path interface VPN</P><P>ASA/act/pri(config)# exit</P><P>ASA/act/pri# ping 10.127.255.10<BR />Type escape sequence to abort.<BR />Sending 5, 100-byte ICMP Echos to 10.127.255.10, timeout is 2 seconds:<BR />!!!!!</P><P>&nbsp;</P><P>What do you think?</P> Wed, 22 Jul 2020 11:51:42 GMT https://community.cisco.com/t5/network-security/asa-interface-monitoring-in-waiting-state-with-rpf-enabled/m-p/4123474#M1072217 klaus.kruse 2020-07-22T11:51:42Z https://community.cisco.com/t5/network-security/asa-interface-monitoring-in-waiting-state-with-rpf-enabled/m-p/4123488#M1072220 <P>Interesting.</P> <P>Would it be possible to remove the&nbsp;<SPAN><STRONG>ospf database-filter all out</STRONG> command from the interface for a test?</SPAN></P> Wed, 22 Jul 2020 12:03:38 GMT https://community.cisco.com/t5/network-security/asa-interface-monitoring-in-waiting-state-with-rpf-enabled/m-p/4123488#M1072220 Marius Gunnerud 2020-07-22T12:03:38Z https://community.cisco.com/t5/network-security/asa-interface-monitoring-in-waiting-state-with-rpf-enabled/m-p/4123514#M1072222 I can try that, will let you know the outcome. Wed, 22 Jul 2020 12:32:23 GMT https://community.cisco.com/t5/network-security/asa-interface-monitoring-in-waiting-state-with-rpf-enabled/m-p/4123514#M1072222 klaus.kruse 2020-07-22T12:32:23Z https://community.cisco.com/t5/network-security/asa-interface-monitoring-in-waiting-state-with-rpf-enabled/m-p/4137933#M1073114 <P>Just to give you an update: We didn't test removal of OSPF-filter but urged customer to upgrade and test again. SW is from 2015, we assume a bug.</P> Wed, 19 Aug 2020 08:45:22 GMT https://community.cisco.com/t5/network-security/asa-interface-monitoring-in-waiting-state-with-rpf-enabled/m-p/4137933#M1073114 klaus.kruse 2020-08-19T08:45:22Z https://community.cisco.com/t5/network-security/asa-interface-monitoring-in-waiting-state-with-rpf-enabled/m-p/4137946#M1073115 <P>Is there any reason you are not using a /30?&nbsp;</P><P>&nbsp;</P><P>If you could, change it to a /30 and test again.&nbsp;</P><P>&nbsp;</P><P>I bet if you look at the arp table on that interface, you will notice the counter/timer will reset over and over again.&nbsp;</P> Wed, 19 Aug 2020 09:07:28 GMT https://community.cisco.com/t5/network-security/asa-interface-monitoring-in-waiting-state-with-rpf-enabled/m-p/4137946#M1073115 Heino Human 2020-08-19T09:07:28Z