cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Firewalls

100
Views
0
Helpful
2
Replies
Highlighted
Participant

Cisco ASA Port-Channel Subinterfaces and OSPF

Ok I am not sure how to do this because I never have done it or needed to do it, but now is that time.

 

I have a layer 2 port-channel set to trunk on a 4500x that connects to a ASA5515x. The 4500x has vlan interfaces and these vlans are allowed on the trunk to the ASA.

 

On the ASA I have the port-channel configured and I have started creating sub-interfaces on the Port-channel.

 

I cant seem to get OSPF to work with the 4500x.

 

4500x:

 

vlan 132

!

vlan 146

!

interface gi1/0/47

switchport mode trunk

switchport trunk allowed vlan 132,146

channel-group 10 mode active

!

interface gi1/0/48

switchport mode trunk

switchport trunk allowed vlan 132,146

channel-group 10 mode active

!

interface port-channel10

switchport mode trunk

switchport trunk allowed vlan 132,146

!

interface vlan 132

ip address 10.32.32.1 255.255.255.0

ip ospf 10 area 0

!

interface vlan 146

ip address 10.46.46.15 255.255.255.0

ip ospf 10 area 0

!

router ospf 10

router-id 10.32.32.1

!

 

 

Cisco ASA 5515x:

 

!
interface GigabitEthernet0/1
channel-group 10 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
channel-group 10 mode active
no nameif
no security-level
no ip address

!

interface Port-channel10
lacp max-bundle 8
no nameif
no security-level
no ip address
!
interface Port-channel10.132
vlan 132
nameif INSIDE
security-level 100
ip address 10.32.32.15 255.255.255.0 standby 10.32.32.16
!

interface Port-channel10.146

vlan 146

nameif INSIDE2

security-level 100

ip address 10.46.46.15 255.255.255.0 standby 10.46.46.16

!

router ospf 10

network 10.32.32.15 255.255.255.255 area 0

network 10.46.46.15 255.255.255.255 area 0

!

access-list INSIDE_ACCESS_IN permit ip any any

access-list INSIDE2_ACCESS_IN permit ip any any

!

access-group INSIDE_ACCESS_IN in interface INSIDE

access-group INSIDE2_ACCESS_IN in interface INSIDE2

!

 

 

on the ASA the ospf neighbor shows DOWN. On the 4500, the neighbor shows INIT/FULL....

 

Not sure what the issue is? Ideas? Are there any gotchas with OSPF and ASAs, except we should use firewalls for routers, because I try to avoid that as much as possible.

 

 

 

2 REPLIES
VIP Advocate

Re: Cisco ASA Port-Channel Subinterfaces and OSPF

Not aware of any gotchas, 

 

I would start debugging the ASA to see if any neighbour discovery multicasts come in. also can you ping between the two devices that should establish neighbourship?

 

do a packet capture on the inside if. of the ASA to see if you see any OSPF traffic come into the ASA.

Please remember to rate useful posts, by clicking on the stars below.

Participant

Re: Cisco ASA Port-Channel Subinterfaces and OSPF

Capture on inside interface looks like this:

 

49: 10:14:24.058407 802.1Q vlan#132 P0 10.81.32.1 > 224.0.0.5: ip-proto-89, length 72
227: 10:14:33.255739 802.1Q vlan#132 P0 10.81.32.1 > 224.0.0.5: ip-proto-89, length 72
317: 10:14:42.831454 802.1Q vlan#132 P0 10.81.32.1 > 224.0.0.5: ip-proto-89, length 72
388: 10:14:52.643033 802.1Q vlan#132 P0 10.81.32.1 > 224.0.0.5: ip-proto-89, length 72
532: 10:15:02.547304 802.1Q vlan#132 P0 10.81.32.1 > 224.0.0.5: ip-proto-89, length 72
628: 10:15:11.560594 802.1Q vlan#132 P0 10.81.32.1 > 224.0.0.5: ip-proto-89, length 72
699: 10:15:21.309447 802.1Q vlan#132 P0 10.81.32.1 > 224.0.0.5: ip-proto-89, length 72
763: 10:15:31.082484 802.1Q vlan#132 P0 10.81.32.1 > 224.0.0.5: ip-proto-89, length 72

 

Also from the ASA:

 

OSPF: Send hello to 224.0.0.5 area 0 on INSIDE from 10.81.32.15
OSPF: Send hello to 224.0.0.5 area 0 on INSIDE from 10.81.32.15
OSPF: Send hello to 224.0.0.5 area 0 on INSIDE from 10.81.32.15
OSPF: Send hello to 224.0.0.5 area 0 on INSIDE from 10.81.32.15

 

 

Now from 4500x:

 

005218: Nov 9 10:22:57: OSPF-110 PAK : Vl132: IN: 10.81.32.15->224.0.0.5: ver:2 type:1 len:44 rid:10.81.32.15 area:0.0.0.0 chksum:97DE auth:0
005219: Nov 9 10:22:57: OSPF-110 HELLO Vl132: Rcv hello from 10.81.32.15 area 0 10.81.32.15
005220: Nov 9 10:22:57: OSPF-110 HELLO Vl132: No more immediate hello for nbr 10.81.32.15, which has been sent on this intf 2 times

 

So strange. Running ASA code 9.6.3.1.  Is it an area issue? I wouldnt think so....

 

I have 2851(10.153.32.2) ----> 4500x(10.153.32.1)

4500 Layer 3 routed port that has the address of 10.153.32.1. Area 0

 

4500x(vlan interface of 10.32.32.1) ----> ASA(port-channel Subinterface Po10.132/10.32.32.15)

 

 

CreatePlease to create content
Ask the Expert- Endpoint Security