Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2888
Views
0
Helpful
9
Replies

SXP session issue between Switch and ASA

Go to solution
saurabhdhakate007
Level 1
Level 1

‎02-18-2019 12:02 PM - last edited on ‎05-14-2020 08:57 AM by Cisco Employee

Hi Everyone, 

I am trying to form a SXP sesstion between ASA and WS-C3850-12S-S switch . 

 

Commands on switch :

cts sxp enable
cts sxp default source-ip 10.100.8.22
cts sxp default password testing
cts sxp connection peer 10.10.8.1 source 10.100.8.22 password default mode local speaker hold-time 0

----------------------------------------------------------------------------------------

Commands on ASA: 

cts sxp enable
cts sxp default password testing
cts sxp default source-ip 10.100.8.1
cts sxp connection peer 10.100.8.22 source 10.100.8.1 password default mode local listener

------------------------------------------------------------------------------------

But the connection status is still off as shown below

Sw(config)#do sh cts sxp conn
SXP : Enabled
Highest Version Supported: 4
Default Password : Set
Default Source IP: 10.100.8.22
Connection retry open period: 120 secs
Reconcile period: 120 secs
Retry open timer is running
Peer-Sequence traverse limit for export: Not Set
Peer-Sequence traverse limit for import: Not Set
----------------------------------------------
Peer IP : 10.10.8.1
Source IP : 10.100.8.22
Conn status : Off
Conn version : 4
Local mode : SXP Speaker
Connection inst# : 1
TCP conn fd : -1
TCP conn password: default SXP password
Duration since last state change: 0:00:01:02 (dd:hr:mm:sec)

---------------------------------------------------------------------------------

Below are the log messages which it shows . 

*Feb 18 19:56:07.347: CTS-SXP-CONN:sxp_process_message_event = CTS_SXPMSG_REQUES T
*Feb 18 19:56:07.348: CTS-SXP-CONN:sxp_process_request CTS_SXPMSG_REQ_SHOWCONN
*Feb 18 19:56:07.348: CTS-SXP-INTNL:sxp_conn_wavl_cmp_tableid tableid1 0x0, tabl eid2 0x0, ip1 10.10.8.1, ip2 0.0.0.0 conn_mode1 1 conn_mode2 1

*Feb 18 19:56:07.348: CTS-SXP-INTNL:sxp_get_next_conn_by_tableid conn:0x3DCB197C , peer ip:10.10.8.1, tableid:0x0

*Feb 18 19:56:07.348: CTS-SXP-INTNL:sxp_conn_wavl_cmp_tableid tableid1 0x0, tabl eid2 0x0, ip1 10.10.8.1, ip2 10.10.8.1 conn_mode1 1 conn_mode2 1

*Feb 18 19:56:07.348: CTS-SXP-INTNL:sxp_get_next_conn_by_tableid conn:0x0, peer ip:0.0.0.0, tableid:0x0

*Feb 18 19:56:07.348: CTS-SXP-INTNL:cdb_get_next_entry
*Feb 18 19:56:07.348: CTS-SXP-INTNL:cdb_get_next_entry
*Feb 18 19:56:07.348: CTS-SXP-INTNL:sxp_process_request boolean set

*Feb 18 19:56:07.348: CTS-SXP-INTNL:sxp_send_request set boolean after

*Feb 18 19:56:16.998: CTS-SXP-CONN:is_cts_sxp_rf_active
*Feb 18 19:56:16.999: CTS-SXP-CONN:ph_retry_open_timer
*Feb 18 19:56:16.999: CTS-SXP-CONN:ph_retry_open_timer retry timer stopped
*Feb 18 19:56:16.999: CTS-SXP-INTNL:cdb_get_next_entry
*Feb 18 19:56:16.999: CTS-SXP-CONN:retry conn setup; conn index = 1
*Feb 18 19:56:16.999: CTS-SXP-CONN:sh_re_setup_conn conn_index = 1
*Feb 18 19:56:16.999: CTS-SXP-CONN:conn_cleanup <-1>
*Feb 18 19:56:16.999: sxp_calc_src_ip cfg src: 10.100.8.22, def src: 10.100.8.22 calc src: 10.100.8.22 vrf:, tableid:0x0
*Feb 18 19:56:16.999: CTS-SXP-CONN:sxp_socket_open vrf:, tablied:0x0 src_ip = 10.100.8.22
*Feb 18 19:56:16.999: CTS-SXP-CONN:SXP SCM: socket open fd = 1, src_ip = 10.100.8.22
*Feb 18 19:56:17.002: CTS-SXP-CONN:ph_send_open <1> fd: 1, <10.10.8.1, 10.100.8.22>
*Feb 18 19:56:17.002: CTS-SXP-INTNL:sxp_fd_hash_table_entry_find cdbp 1, <10.10.8.1, 10.100.8.22>
*Feb 18 19:56:17.002: CTS-SXP-CONN:get_conn_passwd_info <10.10.8.1, 10.100.8.22>
*Feb 18 19:56:17.002: CTS-SXP-CONN:sxp_socket_upd_md5_option <10.10.8.1, 10.100.8.22>
*Feb 18 19:56:17.002: CTS-SXP-CONN:SXP SCM: socket_connect result:-1, fd:1;errno = 265, No route to host, <10.10.8.1, 10.100.8.22>
*Feb 18 19:56:17.002: CTS-SXP-ERR:SXP SCM: socket_connect failed
*Feb 18 19:56:17.002: CTS-SXP-CONN:conn_cleanup <1>
*Feb 18 19:56:17.002: CTS-SXP-INTNL:sxp_fd_hash_table_entry_find cdbp 1, <10.10.8.1, 10.100.8.22>
*Feb 18 19:56:17.002: CTS-SXP-INTNL:sxp_fd_hash_table_entry_find cdbp 1, <10.10.8.1, 10.100.8.22>
*Feb 18 19:56:17.002: CTS-SXP-CONN:free_conn_buffers, <10.10.8.1, 10.100.8.22>
*Feb 18 19:56:17.003: CTS-SXP-CONN:conn_cleanup retry timer started
*Feb 18 19:56:17.003: CTS-SXP-INTNL:cdb_get_next_entry
*Feb 18 19:56:17.003: CTS-SXP-CONN:ph_retry_open_timer retry timer started
*Feb 18 19:57:11.925: CTS-SXP-CONN:Received invalid DIRECT_EVENT
*Feb 18 19:57:11.927: CTS-SXP-CONN:Received invalid DIRECT_EVENT
*Feb 18 19:57:11.928: CTS-SXP-CONN:is_cts_sxp_rf_active
*Feb 18 19:57:11.928: CTS-SXP-INTNL:sxp_fd_hash_table_entry_find cdbp 0, <0.0.0.0, 0.0.0.0>
*Feb 18 19:57:11.928: CTS-SXP-ERR:conn index out of range, ci=-1
*Feb 18 19:57:11.928: CTS-SXP-CONN:Received Socket event; sock_ev = 1 fd: 0, <0.0.0.0, 0.0.0.0>
*Feb 18 19:57:11.928: CTS-SXP-CONN:scm_handle_accept_sock <0>
*Feb 18 19:57:11.928: CTS-SXP-CONN:sxp_cfg_wavl_cmp_vrfname vrf name1 , vrf name2 , ip1 10.10.8.1, ip2 10.100.8.1 conn mode1 1, conn_mode2 1

*Feb 18 19:57:11.928: CTS-SXP-INTNL:sxp_cfg_wavl_cmp_vrfname vrf name1 , vrf name2 , ip1 10.10.8.1, ip2 10.100.8.1 conn mode1 1,conn_mode2 1

*Feb 18 19:57:11.928: CTS-SXP-CONN:sxp_cfg_wavl_cmp_vrfname vrf name1 , vrf name2 , ip1 10.10.8.1, ip2 10.100.8.1 conn mode1 1, conn_mode2 2

*Feb 18 19:57:11.928: CTS-SXP-INTNL:sxp_cfg_wavl_cmp_vrfname vrf name1 , vrf name2 , ip1 10.10.8.1, ip2 10.100.8.1 conn mode1 1,conn_mode2 2

*Feb 18 19:57:11.928: CTS-SXP-ERR:SXP SCM: configuration error: <10.100.8.1, 10.100.8.22> fd = 1 cfg:0x0, conndb:0x0

 

Can anyone figure out anything from this?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to saurabhdhakate007

‎02-19-2019 06:36 AM

Perhaps the SXP connections not permitted. See TrustSec Troubleshooting Guide

Other TrustSec resources at Segmentation & Group-Based Policy Resou... - Cisco Community

View solution in original post

0 Helpful
9 Replies 9

Go to solution
saurabhdhakate007
Level 1
Level 1

‎02-18-2019 12:06 PM

*Feb 18 20:11:49.637: CTS-SXP-CONN:sxp_process_message_event = CTS_SXPMSG_REQUEST
*Feb 18 20:11:49.637: CTS-SXP-CONN:sxp_process_request CTS_SXPMSG_REQ_SHOWCONN
*Feb 18 20:11:49.637: CTS-SXP-INTNL:sxp_conn_wavl_cmp_tableid tableid1 0x0, tableid2 0x0, ip1 10.10.8.1, ip2 0.0.0.0 conn_mode1 1 conn_mode2 1

*Feb 18 20:11:49.637: CTS-SXP-INTNL:sxp_get_next_conn_by_tableid conn:0x3DCB197C, peer ip:10.10.8.1, tableid:0x0

*Feb 18 20:11:49.637: CTS-SXP-INTNL:sxp_conn_wavl_cmp_tableid tableid1 0x0, tableid2 0x0, ip1 10.10.8.1, ip2 10.10.8.1 conn_mode1 1 conn_mode2 1

*Feb 18 20:11:49.637: CTS-SXP-INTNL:sxp_get_next_conn_by_tableid conn:0x0, peer ip:0.0.0.0, tableid:0x0

*Feb 18 20:11:49.637: CTS-SXP-INTNL:cdb_get_next_entry
*Feb 18 20:11:49.637: CTS-SXP-INTNL:cdb_get_next_entry
*Feb 18 20:11:49.637: CTS-SXP-INTNL:sxp_process_request boolean set

*Feb 18 20:11:49.638: CTS-SXP-INTNL:sxp_send_request set boolean after

*Feb 18 20:12:16.998: CTS-SXP-CONN:is_cts_sxp_rf_active
*Feb 18 20:12:16.998: CTS-SXP-CONN:ph_retry_open_timer
*Feb 18 20:12:16.998: CTS-SXP-CONN:ph_retry_open_timer retry timer stopped
*Feb 18 20:12:16.998: CTS-SXP-INTNL:cdb_get_next_entry
*Feb 18 20:12:16.998: CTS-SXP-CONN:retry conn setup; conn index = 1
*Feb 18 20:12:16.998: CTS-SXP-CONN:sh_re_setup_conn conn_index = 1
*Feb 18 20:12:16.998: CTS-SXP-CONN:conn_cleanup <-1>
*Feb 18 20:12:16.998: sxp_calc_src_ip cfg src: 10.100.8.22, def src: 10.100.8.22 calc src: 10.100.8.22 vrf:, tableid:0x0
*Feb 18 20:12:16.998: CTS-SXP-CONN:sxp_socket_open vrf:, tablied:0x0 src_ip = 10.100.8.22
*Feb 18 20:12:16.999: CTS-SXP-CONN:SXP SCM: socket open fd = 1, src_ip = 10.100.8.22
*Feb 18 20:12:17.001: CTS-SXP-CONN:ph_send_open <1> fd: 1, <10.10.8.1, 10.100.8.22>
*Feb 18 20:12:17.002: CTS-SXP-INTNL:sxp_fd_hash_table_entry_find cdbp 1, <10.10.8.1, 10.100.8.22>
*Feb 18 20:12:17.002: CTS-SXP-CONN:get_conn_passwd_info <10.10.8.1, 10.100.8.22>
*Feb 18 20:12:17.002: CTS-SXP-CONN:sxp_socket_upd_md5_option <10.10.8.1, 10.100.8.22>
*Feb 18 20:12:17.002: CTS-SXP-CONN:SXP SCM: socket_connect result:-1, fd:1;errno = 265, No route to host, <10.10.8.1, 10.100.8.22>
*Feb 18 20:12:17.002: CTS-SXP-ERR:SXP SCM: socket_connect failed
*Feb 18 20:12:17.002: CTS-SXP-CONN:conn_cleanup <1>
*Feb 18 20:12:17.002: CTS-SXP-INTNL:sxp_fd_hash_table_entry_find cdbp 1, <10.10.8.1, 10.100.8.22>
*Feb 18 20:12:17.002: CTS-SXP-INTNL:sxp_fd_hash_table_entry_find cdbp 1, <10.10.8.1, 10.100.8.22>
*Feb 18 20:12:17.002: CTS-SXP-CONN:free_conn_buffers, <10.10.8.1, 10.100.8.22>
*Feb 18 20:12:17.002: CTS-SXP-CONN:conn_cleanup retry timer started
*Feb 18 20:12:17.002: CTS-SXP-INTNL:cdb_get_next_entry
*Feb 18 20:12:17.002: CTS-SXP-CONN:ph_retry_open_timer retry timer started
*Feb 18 20:13:11.986: CTS-SXP-CONN:Received invalid DIRECT_EVENT
*Feb 18 20:13:11.988: CTS-SXP-CONN:Received invalid DIRECT_EVENT
*Feb 18 20:13:11.988: CTS-SXP-CONN:is_cts_sxp_rf_active
*Feb 18 20:13:11.989: CTS-SXP-INTNL:sxp_fd_hash_table_entry_find cdbp 0, <0.0.0.0, 0.0.0.0>
*Feb 18 20:13:11.989: CTS-SXP-ERR:conn index out of range, ci=-1
*Feb 18 20:13:11.989: CTS-SXP-CONN:Received Socket event; sock_ev = 1 fd: 0, <0.0.0.0, 0.0.0.0>
*Feb 18 20:13:11.989: CTS-SXP-CONN:scm_handle_accept_sock <0>
*Feb 18 20:13:11.989: CTS-SXP-CONN:sxp_cfg_wavl_cmp_vrfname vrf name1 , vrf name2 , ip1 10.10.8.1, ip2 10.100.8.1 conn mode1 1, conn_mode2 1

*Feb 18 20:13:11.989: CTS-SXP-INTNL:sxp_cfg_wavl_cmp_vrfname vrf name1 , vrf name2 , ip1 10.10.8.1, ip2 10.100.8.1 conn mode1 1,conn_mode2 1

*Feb 18 20:13:11.989: CTS-SXP-CONN:sxp_cfg_wavl_cmp_vrfname vrf name1 , vrf name2 , ip1 10.10.8.1, ip2 10.100.8.1 conn mode1 1, conn_mode2 2

*Feb 18 20:13:11.989: CTS-SXP-INTNL:sxp_cfg_wavl_cmp_vrfname vrf name1 , vrf name2 , ip1 10.10.8.1, ip2 10.100.8.1 conn mode1 1,conn_mode2 2

*Feb 18 20:13:11.989: CTS-SXP-ERR:SXP SCM: configuration error: <10.100.8.1, 10.100.8.22> fd = 1 cfg:0x0, conndb:0x0
*Feb 18 20:13:11.989: CTS-SXP-CONN:Received invalid DIRECT_EVENT
*Feb 18 20:14:16.998: CTS-SXP-CONN:is_cts_sxp_rf_active
*Feb 18 20:14:16.998: CTS-SXP-CONN:ph_retry_open_timer
*Feb 18 20:14:16.998: CTS-SXP-CONN:ph_retry_open_timer retry timer stopped
*Feb 18 20:14:16.998: CTS-SXP-INTNL:cdb_get_next_entry
*Feb 18 20:14:16.998: CTS-SXP-CONN:retry conn setup; conn index = 1
*Feb 18 20:14:16.998: CTS-SXP-CONN:sh_re_setup_conn conn_index = 1
*Feb 18 20:14:16.998: CTS-SXP-CONN:conn_cleanup <-1>
*Feb 18 20:14:16.998: sxp_calc_src_ip cfg src: 10.100.8.22, def src: 10.100.8.22 calc src: 10.100.8.22 vrf:, tableid:0x0
*Feb 18 20:14:16.998: CTS-SXP-CONN:sxp_socket_open vrf:, tablied:0x0 src_ip = 10.100.8.22
*Feb 18 20:14:16.999: CTS-SXP-CONN:SXP SCM: socket open fd = 1, src_ip = 10.100.8.22
*Feb 18 20:14:17.002: CTS-SXP-CONN:ph_send_open <1> fd: 1, <10.10.8.1, 10.100.8.22>
*Feb 18 20:14:17.002: CTS-SXP-INTNL:sxp_fd_hash_table_entry_find cdbp 1, <10.10.8.1, 10.100.8.22>
*Feb 18 20:14:17.002: CTS-SXP-CONN:get_conn_passwd_info <10.10.8.1, 10.100.8.22>
*Feb 18 20:14:17.002: CTS-SXP-CONN:sxp_socket_upd_md5_option <10.10.8.1, 10.100.8.22>
*Feb 18 20:14:17.002: CTS-SXP-CONN:SXP SCM: socket_connect result:-1, fd:1;errno = 265, No route to host, <10.10.8.1, 10.100.8.22>
*Feb 18 20:14:17.002: CTS-SXP-ERR:SXP SCM: socket_connect failed
*Feb 18 20:14:17.002: CTS-SXP-CONN:conn_cleanup <1>
*Feb 18 20:14:17.002: CTS-SXP-INTNL:sxp_fd_hash_table_entry_find cdbp 1, <10.10.8.1, 10.100.8.22>
*Feb 18 20:14:17.002: CTS-SXP-INTNL:sxp_fd_hash_table_entry_find cdbp 1, <10.10.8.1, 10.100.8.22>
*Feb 18 20:14:17.002: CTS-SXP-CONN:free_conn_buffers, <10.10.8.1, 10.100.8.22>
*Feb 18 20:14:17.002: CTS-SXP-CONN:conn_cleanup retry timer started
*Feb 18 20:14:17.002: CTS-SXP-INTNL:cdb_get_next_entry
*Feb 18 20:14:17.002: CTS-SXP-CONN:ph_retry_open_timer retry timer started

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎02-18-2019 12:14 PM

Try removing the cts sxp default source-ip command from both sides, the connection statement will handle that. From the outputs, the switch is using the default source IP, but your connection is configured for 10.100.8.128 source. There is also this log which I would follow up on to confirm you have reachability, check your 10.100.8.128 interface is up and active, remove the default IP if it continues trying to use 10.100.8.22.
"*Feb 18 19:56:17.002: CTS-SXP-CONN:SXP SCM: socket_connect result:-1, fd:1;errno = 265, No route to host, <10.10.8.1, 10.100.8.22>"

In my lab I use a very simple two lines for SXP between my ASA to do exactly what you are trying, no default IP required. You can keep the password, I just didn't bother.
switchx#sh run | inc cts
cts sxp enable
cts sxp connection peer 10.0.1.2 source 10.0.0.1 password none mode local speaker hold-time 0

ASA
ASA# sh run | inc cts
cts sxp enable
cts sxp connection peer 10.0.0.1 source 10.0.1.2 password none mode local listener

0 Helpful

Go to solution
saurabhdhakate007
Level 1
Level 1
In response to Damien Miller

‎02-18-2019 11:04 PM

Hey Damien,

Apologies , it was my typo . I tried to change the IP's for confidentiality . 

It is 10.100.8.1 as it should be. 

I do this all the time and it does not give me any issue at all . Its just this time I enabled it on ASA first , rather than Switch . Does it really make any difference?

I have tried disabling and reenabling it , shut and no shut SVI of the switch , clearing cts sxp config from both ends and reconfiguring them, finally reloading the Swith as well as ASA  and it did not come out. 

Can you please share me any documents which guides about best practise in SXP , if you have any? 

Your help is hightly appreciated . 

Thanks , 

Saurabh Dhakate

 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to saurabhdhakate007

‎02-19-2019 06:36 AM

Perhaps the SXP connections not permitted. See TrustSec Troubleshooting Guide

Other TrustSec resources at Segmentation & Group-Based Policy Resou... - Cisco Community

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to saurabhdhakate007

‎05-16-2020 05:29 PM

The authoritative guide for switch to ASA would be the TrustSec User to Data Center Access Control Design Guide.

Find others at http://cs.co/ise-guides#TrustSec

0 Helpful

Go to solution
kerstin-534
Level 1
Level 1
In response to Damien Miller

‎05-13-2020 07:49 AM

Have you solved this ? We have a problem SXP problem with ASA and IOS-XE too

0 Helpful

Go to solution
poongarg
Cisco Employee
Cisco Employee

‎05-13-2020 08:32 AM

As per the logs, it looks like the routing issue on switch:

 

*Feb 18 19:56:17.002: CTS-SXP-CONN:sxp_socket_upd_md5_option <10.10.8.1, 10.100.8.22>
*Feb 18 19:56:17.002: CTS-SXP-CONN:SXP SCM: socket_connect result:-1, fd:1;errno = 265, No route to host, <10.10.8.1, 10.100.8.22>
*Feb 18 19:56:17.002: CTS-SXP-ERR:SXP SCM: socket_connect failed

0 Helpful

Go to solution
Saurabh Dhakate
Cisco Employee
Cisco Employee
In response to poongarg

‎05-14-2020 09:46 AM

I remember that's the first thing which I had tested. Both peers were pingable to each other bidirectionally. Thanks!

0 Helpful
Customers Also Viewed These Support Documents