Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3149
Views
3
Helpful
34
Replies

OSPF Redistribution route-map with prefix-list not working after upgr

heinrichsra
Level 1
Level 1

‎12-29-2023 06:36 AM

Dear Cisco DevOps for OSPF on ASA,

why has the configuration of prefix-lists been removed from OSPF v3/OSPFv4 when your DevOps colleagues for BGP, IS-IS and EIGRP continue to implement prefix-list?

Furthermore, without prefix-list it is no longer possible to use "less specific" routes as a backup path.
According to the workaround in CSCwi31091, how should it be possible to filter a "less-specific" route via ACL?
Example:
route outside 10.246.2.0 255.255.255.0 [BackupPath-NextHop] 15 <=== DO NOT redistribute
route outside 10.246.2.0 255.255.255.128 [PrimaryPath-NextHop] 10 <= Prefix for redistribution
route outside 10.246.2.128 255.255.255.128 [PrimaryPath-NextHop] 10 <= Prefix for redistribution

Kind regards
Ralf

1 person had this problem
Labels:
0 Helpful
34 Replies 34

heinrichsra
Level 1
Level 1
In response to Ruben Cocheno

‎01-01-2024 10:41 PM

@ruben
I did couple of test back and forth but none of the solutions works using the workaround described in the BugID CSCwi31091 nor your provided solutions.

Any solutions are vry welcome.

0 Helpful

MHM Cisco World
VIP
VIP
In response to heinrichsra

‎01-01-2024 10:53 PM

So you use tag in static route and then match it in route-map and did not work!!

MHM

0 Helpful

heinrichsra
Level 1
Level 1
In response to MHM Cisco World

‎01-01-2024 11:25 PM

It is impossible to add a tag to a static route on ASA

0 Helpful

Colsen899
Level 1
Level 1

‎01-02-2024 01:42 AM

It appears that using the prefix-list approach in redistributing VPN routes into OSPF provides more precise control compared to the access-list method. The reminder in the access-list to exclude the /24 ensures a cleaner redistribution, avoiding unnecessary routes in OSPF. 

0 Helpful

MHM Cisco World
VIP
VIP

‎01-03-2024 01:18 PM

I dont have ASA image to test but I get other solution 
using extended ACL instead of Standard ACL in redistribute

Screenshot (662).pngScreenshot (663).png 

0 Helpful

heinrichsra
Level 1
Level 1
In response to MHM Cisco World

‎01-03-2024 10:50 PM

The ACL looks weird. I'll test it on ASA and let you know.

heinrichsra
Level 1
Level 1
In response to MHM Cisco World

‎01-04-2024 02:34 AM

I have configured your solution on an ASA but sadly it does not work.
<<< config snip-set >>>

route outside 10.247.1.0 255.255.255.0 [PrimaryPath-NextHop] 10		<= prefix for redistribution
route outside 10.247.2.0 255.255.255.0 [BackupPath-NextHop] 15		<=== DO NOT redistribute
route outside 10.247.2.0 255.255.255.128 [PrimaryPath-NextHop] 10	<= prefix for redistribution
route outside 10.247.2.128 255.255.255.128 [PrimaryPath-NextHop] 10	<= prefix for redistribution
!
prefix-list Redistribute_VPN_OSPF seq 10 permit 10.247.1.0/24
prefix-list Redistribute_VPN_OSPF seq 20 permit 10.247.2.0/25
prefix-list Redistribute_VPN_OSPF seq 30 permit 10.247.2.128/25
!
access-list Redistribute_STATIC_OSPF extended permit ip any4 10.247.1.0 255.255.255.0
access-list Redistribute_STATIC_OSPF extended permit ip host 10.247.2.0 host 255.255.255.128
access-list Redistribute_STATIC_OSPF extended permit ip host 10.247.2.128 host 255.255.255.128
access-list Redistribute_STATIC_OSPF_DENY extended permit ip host 10.247.2.0 host 255.255.255.0
!
route-map Redistribute_STATIC_OSPF deny 10
 match ip address Redistribute_STATIC_OSPF_DENY
route-map Redistribute_STATIC_OSPF permit 20
 match ip address Redistribute_STATIC_OSPF
!
router ospf 1
 router-id 10.255.255.2
 redistribute static metric 30 metric-type 1 subnets tag 7 route-map Redistribute_STATIC_OSPF

! From OSPF router-id 10.255.255.2
		Type-5 AS External Link States
              
Link ID         ADV Router      Age         Seq#       Checksum Tag
0.0.0.0         10.255.255.2    1162        0x80003d3a 0x8126 1
10.247.1.0      10.255.255.2    318         0x8000000c 0x9d58 7

! From OSPF router-id 10.255.255.1 (OSPF neighbor of OSPF router-id 10.255.255.2)
O E1     10.247.1.0 255.255.255.0 [110/90] via ...
MISSING  10.247.2.0 255.255.255.0				<=== Good
MISSING  10.247.2.0 255.255.255.128				<=== WRONG!!! Should be redistributed
MISSING  10.247.2.128 255.255.255.128			<=== WRONG!!! Should be redistributed

BTW, I just added 10.247.1.0/24 to see whether or not the redistribution is working at all.

 It seems to ASA once again behaves different than a router or L3-Switch. But sadly we still have no proper solution.
Any other ideas?

0 Helpful

MHM Cisco World
VIP
VIP
In response to heinrichsra

‎01-04-2024 02:47 AM - edited ‎01-04-2024 02:48 AM

Can you add keywords subnet with redistrubte static under ospf 

MHM

0 Helpful

heinrichsra
Level 1
Level 1
In response to MHM Cisco World

‎01-04-2024 03:05 AM

It's already added:
redistribute static metric 30 metric-type 1 subnets tag 7 route-map Redistribute_STATIC_OSPF

0 Helpful

heinrichsra
Level 1
Level 1

‎01-04-2024 11:08 PM

I have tried a different approach, which is already configured on several ASA with OS version lower than 9.16(4)42, 9.18(4)5 or 9.20(2) using a "match metric" criteria inside the route-map for redistribution of static routes into OSPF.

BUT!!! The DevOps of OSPF for ASA also removed this support:

route-map Redistribute_STATIC_OSPF deny 20
 match metric 15
WARNING: "Redistribute_STATIC_OSPF" used as redistribute static into ospf route-map, metric match not supported

DevOps, what are you doing? Removing "prefix-list" as well "match metric" for OSPF is not a good sign for any customer using OSPF on ASA. What will be the next unsupportted OSPF functionality/feature on ASA running OSPF?

DevOps, which solution can you offer?

0 Helpful

MHM Cisco World
VIP
VIP
In response to heinrichsra

‎01-04-2024 11:18 PM

match metric is used for redistribute BGP into OSPF/EIGRP
but I have other solution I need to try it first 
update you today 
MHM

0 Helpful

heinrichsra
Level 1
Level 1
In response to MHM Cisco World

‎01-04-2024 11:29 PM

Example from an ASA config (BTW, "match metric" for static routes into OSPF is used the last decades):

route-map vpn-routes deny 10
 match ip address filter-default-static-route
!
route-map vpn-routes permit 20
 match metric 1
 set metric-type type-1
!
router ospf 1
 router-id 192.168.254.63
 network xxx.xxx.xxx.xxx 255.255.255.248 area 0
 log-adj-changes
 redistribute static metric 1 subnets tag xxxxxxx route-map vpn-routes



0 Helpful

MHM Cisco World
VIP
VIP
In response to heinrichsra

‎01-05-2024 12:27 AM

I already try it match metric and it not work for static, for direct connect I will try later
NOW 
ASA not support tag with static route 
ASA not work as I test when we use extended ACL 
last solution 
we will use distribute-list in OSPF neighbour and I hope it not ASA so we can use prefix-list and omitted 192.168.1.0/24 from routing table, are this solution is OK for you ? 
MHM 

0 Helpful

heinrichsra
Level 1
Level 1
In response to MHM Cisco World

‎01-05-2024 12:31 AM

It's worth trying it with distribute-list.

bettygdurand
Level 1
Level 1

‎01-05-2024 12:15 AM

The redistribution process categorizes both entities as Type-1, with the exception that the /24 is entirely omitted from the redistribution.

0 Helpful
Customers Also Viewed These Support Documents