Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1257
Views
0
Helpful
3
Replies

EIGRP Not Failing Over in ASA Active/Standby Pair

ben.weber
Level 1
Level 1

‎07-17-2017 12:50 PM - edited ‎03-12-2019 02:42 AM

I had a funny issue come up recently.  I replaced a single ASA 5510 firewall with an active/standby pair of new ASA 5516-x's.  On that LAN the ASA(s) peer EIGRP with both the core switch stack and the local WAN router.  Nothing fancy.  The only thing unusual about the EIGRP configuration on the firewall is that it has a redistribute route map for reverse route injection.

EIGRP works fine except when I fail over the stack.  When active/standby roles swap the primary ASA (the one that becomes primary) loses it neighbor relationship with both the core switch stack and the WAN router and will not re-establish.  (I waited 20-30 minutes in testing and the neighbor sessions didn't re-establish so I'm pretty sure it's not some timeout thing.)  Similarly, the "clear eigrp neighbors" command doesn't do anything.  A "show eigrp neighbors" command still shows a blank neighbor list -and the ASA doesn't learn any routes.

The only thing that brings it back is to blow away the eigrp configuration (clear configure router eigrp) and then reload the eigrp configuration.  Once I do that it syncs right up.  But then the next time it fails I get the same thing.

I'm aware of the thing where the secondary unit doesn't peer EIGRP in an active/standby failover pair.  That's not what this is.  This is a case where immediately after a failover neither the primary nor the secondary will peer.

I initially had the pair running on the 9.6(3)-1 code.  Thinking it might be a code bug I tried 9.4(4)-5, but found the same thing.

Has anyone else seen this or know what might be wrong?  I know that conceptually the idea of running EIGRP in an active/standby pair is fine.  I have another customer where I do it with a pair of 5515-x's and it works fine.  The only differences there are that there's no redistributed route map and they are running on 9.2(4).

Thanks,

Ben

Labels:
0 Helpful
3 Replies 3

Spooster IT Services
Level 7
Level 7

‎07-18-2017 12:29 PM

Hi Ben,

Have you tried to enable the debugs when the active/standby roles swapped? If no, then can you enable the eigrp debugs on switch and ASA to see what is happening.

Spooster IT Services Team
0 Helpful

ben.weber
Level 1
Level 1
In response to Spooster IT Services

‎07-18-2017 12:31 PM

I did try that but nothing showed up in the debug logs.

0 Helpful

Gabriel Hill
Level 1
Level 1

‎10-27-2017 07:36 AM

I hit the same issue and knew it was a bug but had no luck finding it.

Opened a TAC case - and they found this. The workaround worked for me.

 

ASA: Multicast packets getting dropped starting code 9.6.3
CSCve15873
 
Symptom:
EIGRP not coming up after upgrade from 9.6.2.7 to 9.7.1.4. by default. Multicast packets getting dropped on the ASA. Can affect any routing protocol that uses multicast addresses.
Also triggered by failover.

Conditions:
Upgrade from 9.6.2.3 to 9.7.1.4

Workaround:
With this fix the use of "multicast-routing" as a workaround should no longer be necessary
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card