Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
399
Views
0
Helpful
4
Replies

OSPF behavior after upgrading ASA5512

PiEich
Level 1
Level 1

‎06-11-2016 08:13 PM - edited ‎03-12-2019 12:52 AM

Hi guys,

I have this weird OSPF behavior and I don't get it...

I'm running version 9.1(4) on ASA5512, this is the output for some of the routes:

FW1DC1# sh ver
Cisco Adaptive Security Appliance Software Version 9.1(4)

FW1DC1# sh route | inc 192.168.30.0
O E2 192.168.30.0 255.255.255.248 [110/1] via 192.168.30.162, 0:01:40, TASA

FW1DC1# sh route | inc 192.168.30.8
O E2 192.168.30.8 255.255.255.248 [110/1] via 192.168.30.162, 0:02:20, TASA

FW1DC1# sh route | inc 192.168.30.16
O E2 192.168.30.16 255.255.255.248 [110/40] via 192.168.30.170, 0:02:23, L3

FW1DC1# sh route | inc 192.168.30.24
O E2 192.168.30.24 255.255.255.248 [110/40] via 192.168.30.170, 0:03:17, L3

FW1DC1# sh route | inc 192.168.30.32
O E2 192.168.30.32 255.255.255.248 [110/1] via 192.168.30.162, 0:03:29, TASA

FW1DC1# sh route | inc 192.168.30.40
O E2 192.168.30.40 255.255.255.248 [110/1] via 192.168.30.162, 0:03:42, TASA

FW1DC1# sh route | inc 192.168.30.48
O E2 192.168.30.48 255.255.255.248 [110/1] via 192.168.30.162, 0:03:44, TASA

I do the upgrade with ASDM to 9.2(1). The same output:

FW1DC1# sh ver
Cisco Adaptive Security Appliance Software Version 9.2(1)

FW1DC1# sh route | inc 192.168.30.0
O E2     192.168.30.0 255.255.255.248

FW1DC1# sh route | inc 192.168.30.8
O E2     192.168.30.8 255.255.255.248

FW1DC1# sh route | inc 192.168.30.16
O E2     192.168.30.16 255.255.255.248

FW1DC1# sh route | inc 192.168.30.24
O E2     192.168.30.24 255.255.255.248

FW1DC1# sh route | inc 192.168.30.32
O E2     192.168.30.32 255.255.255.248

FW1DC1# sh route | inc 192.168.30.40
O E2     192.168.30.40 255.255.255.248

FW1DC1# sh route | inc 192.168.30.48
O E2     192.168.30.48 255.255.255.248

So after I do the upgrade, I cannot reach any of those routes and I don't know why.

But after I downgrade to 9.1(4), it works again.

Any thoughts???

Thank you!

PS: I do the downgrade with ASDM, when the FW comes up again, the boot system still shows as 9.2(1)

downgrade /noconfirm disk0:/asa914-smp-k8.bin disk0:/oldconfig_2016jun12_0222.cfg

FW1DC1# sh run | inc asa
boot system disk0:/asa921-smp-k8.bin

Labels:
0 Helpful
4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

‎06-11-2016 09:46 PM

When it doesn't work, what appears in the firewall logs?

I'm going to guess a NAT issue, but that is just a guess.

0 Helpful

PiEich
Level 1
Level 1
In response to Philip D'Ath

‎06-13-2016 05:38 AM

Hi Philip,

I would need to do the upgrade and downgrade again to get the logs but I haven't seen anything in particular.

But if it was a NAT issue, wouldn't it be happening on the current version as well?

Thank you!

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to PiEich

‎06-13-2016 01:18 PM

The NAT engine in the ASA was replaced at some version I can no longer recall.  I'm guessing you might be on either side of that boundary, and NAT might need some minor tweaking after the upgrade.

You'll see issues in the log if this is the case.

0 Helpful

PiEich
Level 1
Level 1
In response to Philip D'Ath

‎06-13-2016 05:36 PM

Ah, that's right but it was prior to 9.1(4), I think it was 8.3 or so...

Thank you!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card