ASA load-balancing over EIGRP not working

gkuzmowycz · ‎11-16-2011

We have an ASA 5540 running 8.4(1) on the inside of dual Internet-facing border routers. The routers run BGP facing out and EIGRP facing in, with the ASA also running EIGRP for the same AS. Both routers redistribute a default route into EIGRP. It was my understanding and expectation that the ASA would learn both of these, as they are equal cost, and load-balance the outbound traffic over the two links. This does not appear to be the case.

The routers both have:

router eigrp 100

network nn.nn.nn.nn 0.0.0.0

redistribute static

passive-interface default

no passive-interface GigabitEthernet0/1

ip route 0.0.0.0 0.0.0.0 Null0 220

The ASA has:

router eigrp 100

network nn.nn.nn.0 255.255.252.0

passive-interface default

no passive-interface XXXX-Outside

All three Gig interfaces are connected to the same VLAN on the same switch. Neighbor relationships are up.

Router: (only showing one, as they're the same)

Border1#sh ip eigrp nei

EIGRP-IPv4 Neighbors for AS(100)

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 nn.nn.nn.100 Gi0/1 13 1d03h 338 2028 0 32

1 nn.nn.nn.11 Gi0/1 12 31w0d 1 200 0 429

ASA:

ASA1# sh eigrp nei

EIGRP-IPv4 neighbors for process 100

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

1 nn.nn.nn.11 Gi0/0.920 14 1d03h 2 200 0 429

0 nn.nn.nn.10 Gi0/0.920 13 1d03h 1 200 0 551

However, on the ASA, we have

ASA1# sh eigrp top

EIGRP-IPv4 Topology Table for AS(100)/ID(nn.nn.mm.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

r - reply Status, s - sia Status

P 0.0.0.0 0.0.0.0, 1 successors, FD is 2816

via nn.nn.nn.11 (2816/256), GigabitEthernet0/0.920

ASA1# sh rout

Gateway of last resort is nn.nn.nn.11 to network 0.0.0.0

[snip]

D*EX 0.0.0.0 0.0.0.0 [170/2816] via nn.nn.nn.11, 27:30:50, XXXX-Outside

I expected to see both nn.nn.nn.10 and nn.nn.nn.11. Am I wrong?

andrew.prince · ‎11-16-2011

it should as long as the 2 k values are equal.

What is the output of "show eigrp topology" on the ASA?

You could also consider the eigrp variance option, if supported.

Sent from Cisco Technical Support iPad App

gkuzmowycz · ‎11-16-2011

Yes, I know it should work. I'm posting here because it doesn't.

The "sh eigrp top" from the ASA is in my original post.

ASA1# sh eigrp top

EIGRP-IPv4 Topology Table for AS(100)/ID(nn.nn.mm.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

r - reply Status, s - sia Status

P 0.0.0.0 0.0.0.0, 1 successors, FD is 2816

via nn.nn.nn.11 (2816/256), GigabitEthernet0/0.920

cadet alain · ‎11-16-2011

Hi,

could you post sh eigrp topo all if it is present on ASA because I can't remember if it is supported on this platform.

Regards.

Alain

Don't forget to rate helpful posts.

gkuzmowycz · ‎11-16-2011

It's the same as "sh eigrp topo" I already posted except it includes the serno.

cadet alain · ‎11-16-2011

Hi,

it should be displaying the paths that didn't meet the Feasibility condition so I thought maybe this second path was not a feasible successor so that's why it was not in th topology table.

I never saw serno in this output; sh eigrp topology all-links

Regards.

Alain

Don't forget to rate helpful posts.

gkuzmowycz · ‎11-16-2011

I'm not sure what you are saying. So, again, here is the output

ASA1# sh eigrp topo all-links

EIGRP-IPv4 Topology Table for AS(100)/ID(208.93.215.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

r - reply Status, s - sia Status

P 0.0.0.0 0.0.0.0, 1 successors, FD is 2816, serno 85

via nn.nn.nn.11 (2816/256), GigabitEthernet0/0.920

Note that it is not getting a path from nn.nn.nn.10.

andrew.prince · ‎11-16-2011

if you KNOW it does not work - explain why you do not think it works?

Sent from Cisco Technical Support iPad App

gkuzmowycz · ‎11-16-2011

Because a) sh eigrp topo on the ASA has only the one path, which it learned from nn.nn.nn.11 and b) only the router at nn.nn.nn.11 is receiving traffic from the ASA. On nn.nn.nn.10, here's sh int Gi0/1

GigabitEthernet0/1 is up, line protocol is up

Hardware is MV64460 Internal MAC, address is 588d.0965.f01a (bia 588d.0965.f01a)

Internet address is nn.nn.nn.10/22

MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 1000Mb/s, media type is RJ45

output flow-control is XON, input flow-control is unsupported

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:01, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/836/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 438000 bits/sec, 207 packets/sec

andrew.prince · ‎11-16-2011

Clearly the second router has an issue with either not receving the routes, or does not populate them into the routing table, or there is a general neighbour issue.

I suggest you issue the "debug ip eigrp <>

then a "clear ip route *"

and watch the debug - this should be done out of production hours, and you should be on the console of the router just in case you lock it out.