11-23-2009 06:16 AM - edited 03-11-2019 09:41 AM
About a week ago our ASA 5520s bounced for some unknown reason. Since then the ASA has been advertising it's defined internal
routes back into the network. The result is that the routing tables inside the LAN now have each network advertized twice. The internal
routes coming from the ASA are shown as external routes summarized at a higher level, see below. Has anyone seen this before?
Is there a config item on the ASA that is causing this to happen?
C 168.28.216.0/24 is directly connected, Vlan129
D EX 168.28.216.0/21 [170/3072] via 192.168.10.10, Vlan90
11-23-2009 06:43 AM
rickmeier wrote:
About a week ago our ASA 5520s bounced for some unknown reason. Since then the ASA has been advertising it's defined internal
routes back into the network. The result is that the routing tables inside the LAN now have each network advertized twice. The internal
routes coming from the ASA are shown as external routes summarized at a higher level, see below. Has anyone seen this before?
Is there a config item on the ASA that is causing this to happen?
C 168.28.216.0/24 is directly connected, Vlan129
D EX 168.28.216.0/21 [170/3072] via 192.168.10.10, Vlan90
Rick
Well it might be a config issue but need more details.
Is the ASA participating in EIGRP with the internal routers ?
If so can we have the EIGRP config off the ASA + the full routing table of the ASA + the routing table off one of the internal routers.
Jon
11-23-2009 07:06 AM
Jon,
The ASA is participating in EIGRP with the internal routers. I'll post the routing tables. One quick note, the ASA has entries in
the routing table that shows a subnet learned via EIGRP and as a static, see below.
Protocol Type Destination IP Netmask/Prefix length Gateway Interface [AD/Metric]
EIGRP 168.28.216.0 255.255.255.0 192.168.10.9 inside [90/3072]
STATIC 168.28.216.0 255.255.248.0 192.168.10.9 inside [1/0]
11-23-2009 07:21 AM
rickmeier wrote:
Jon,
The ASA is participating in EIGRP with the internal routers. I'll post the routing tables. One quick note, the ASA has entries in
the routing table that shows a subnet learned via EIGRP and as a static, see below.
Protocol Type Destination IP Netmask/Prefix length Gateway Interface [AD/Metric]
EIGRP 168.28.216.0 255.255.255.0 192.168.10.9 inside [90/3072]
STATIC 168.28.216.0 255.255.248.0 192.168.10.9 inside [1/0]
Rick
The static entry in the routing table - is there a static route entry in the ASA config ? ie.
route (inside) 168.28.216.0 255.255.248.0 192.168.10.9
If there is, is there any reason for it ie. does the ASA actually need to participate in EIGRP or would this summary static route handle all the internal networks. If it did then the only other reason i could see for the ASA participating in EIGRP would be to advertise it's DMZ subnets back to your internal routers. Is this what is happening ?
Jon
11-23-2009 11:44 AM
Jon,
Yes there are a number of static inside routes that cover all of the internal LAN. I was able to SSH into the ASA, this
was my first involvement with these firewalls, I found that not only is the EIGRP participating with the internal LAN EIGRP
but there is also a redistribute static statement. Which I suspect is the cause of this issue. My conundrum is why did
these duplicate routes appear only after the ASA bounced. They had not been there prior to the bounce.
See attached for routing table and EIGRP config and statics.
Rick
11-23-2009 12:34 PM
rickmeier wrote:
Jon,
Yes there are a number of static inside routes that cover all of the internal LAN. I was able to SSH into the ASA, this
was my first involvement with these firewalls, I found that not only is the EIGRP participating with the internal LAN EIGRP
but there is also a redistribute static statement. Which I suspect is the cause of this issue. My conundrum is why did
these duplicate routes appear only after the ASA bounced. They had not been there prior to the bounce.
See attached for routing table and EIGRP config and statics.
Rick
Rick
There is no attachement
That aside, i think a more relevant question is why did they only turn up after the ASA had been bounced ie. if you have a redistribute static on the ASA and it has formed a neighborship with an internal LAN router they should have been there already.
Note also that they are not duplicate routes, if they were i suspect the ASA routes would not show up. The ASA is sending a summarised route entry and although this includes the internal subnets it is considered a different route because it has a different prefix length so it too will be installed in the internal routers routing table.
So, as i say, it's more a mystery of why they weren't there in the first place.
It's difficult to say without the full topology but if the ASA is only peering with the internal network and not to anything on the outside then i'm not sure why you have that static statement on the ASA ie. either peer with an internal router and exchange routes or use a static route on the ASA but not both. But like i say without knowing the full topology it's not possible to recommend one or the other.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide