ASA multicontext in active active mode problems

teymur azimov · ‎11-03-2013

Hi Dear Cisco team,

In my network have a lot of different subnets and in security cases some of subnets must be access to others and some of them are not. In network have 2 Cisco catalyst 6513 switch which use core device and have 2xASA 5525 which are use internal firewall and access switch catalyst 3750 which is use floor switch.

I want to grouped some subnets(Vlans) so I configurate multicontext in ASA and configurate ASA in active active mode. So some vlans include in some contexts in ASA1 (this contexts are active In ASA1) and other contexts in ASA2(that conetxts are active in ASA2). I use Eigrp dynamic routing protocol in ASA's. In ASA's the new IOS 9.1. ( as you know eigrp is working in multicontext active active mode).

As you know the in default the contexts are not access each other so i decide to use vrf-lite for this in Core switch.

traffic flow(logicaly): the users default gateway are ASA's. The packet is coming from users to internal ASA then go to core switch.

For example; 10.30.40.0 subnet is in ASA1 in active context and i want to access 10.30.44.0 subnet in ASA2 active context.

when i do ping from 10.30.40.10 user (ASA1 context: C1(active) to 10.40.44.10 (ASA2 conetext:C2 active) user. The ping is not going.

The active active mode failover is working. when i turn off the ASA2 the all traffic is pass thougth the ASA1 and in this case C2 is active in ASA1 and in this time i can ping form C1 to C2 . In ASA1 different contexs are working.

The problem is in active active mode in different contexts are not working.

I attach logical and physical topology and configuration files of devices and routing tables of devieces.

please help.

I attach 6513 configuration file.

p vrf asa

rd 65515:1

route-target export 65515:1

route-target import 65515:100

route-target import 65515:101

ip vrf mapas

rd 65515:100

route-target export 65515:100

route-target import 65515:101

route-target import 65515:1

!

ip vrf mapas1

rd 65515:101

route-target export 65515:101

route-target import 65515:100

route-target import 65515:1

interface GigabitEthernet1/1/2

description connecte_to_ASA_outside

switchport

switchport access vlan 1000

switchport mode access

speed 100

!

interface GigabitEthernet1/1/3

description connect-to-Router-outside

switchport

switchport access vlan 1000

switchport mode access

interface Vlan340

ip vrf forwarding mapas

ip address 10.30.40.254 255.255.255.0

!

interface Vlan344

ip vrf forwarding mapas1

ip address 10.30.44.254 255.255.255.0

interface Vlan1000

ip vrf forwarding asa

connection ASA_outside_interface

ip address 10.100.100.254 255.255.255.0

router eigrp 2008

!

address-family ipv4 vrf mapas

redistribute connected

redistribute bgp 65515 metric 128 10000 255 1 1500

network 10.30.40.0 0.0.0.255

network 10.30.41.0 0.0.0.255

network 10.30.42.0 0.0.0.255

network 10.30.43.0 0.0.0.255

autonomous-system 2008

exit-address-family

!

address-family ipv4 vrf mapas1

redistribute connected

redistribute bgp 65515 metric 128 10000 255 1 1500

network 10.30.44.0 0.0.0.255

network 10.30.45.0 0.0.0.255

network 10.30.46 0.0.0.255

autonomous-system 2008

exit-address-family

!

address-family ipv4 vrf asa

redistribute connected

redistribute bgp 65515 metric 128 10000 255 1 1500

network 10.100.100.0 0.0.0.255

autonomous-system 2008

exit-address-family

router bgp 65515

bgp log-neighbor-changes

redistribute eigrp 2008

!

address-family ipv4 vrf asa

redistribute connected

redistribute eigrp 2008

exit-address-family

!

address-family ipv4 vrf mapas

redistribute connected

redistribute eigrp 2008

exit-address-family

!

address-family ipv4 vrf mapas1

redistribute connected

redistribute eigrp 2008

exit-address-family

Router:

CORE-VSS#show ip bgp vpnv4 all

BGP table version is 674, local router ID is 172.31.40.105

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,

x best-external, a additional-path, c RIB-compressed,

Origin codes: i - IGP, e - EGP, ? - incomplete

RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 65515:1 (default for vrf asa)

* 10.30.40.0/24 10.30.44.1 2816 32768 ?

*> 10.100.100.1 2816 32768 ?

* 0.0.0.0 0 32768 ?

* 10.30.41.0/24 10.30.44.1 2816 32768 ?

*> 10.100.100.1 2816 32768 ?

* 0.0.0.0 0 32768 ?

* 10.30.42.0/24 10.30.44.1 2816 32768 ?

*> 10.100.100.1 2816 32768 ?

* 0.0.0.0 0 32768 ?

* 10.30.43.0/24 10.30.44.1 2816 32768 ?

*> 10.100.100.1 2816 32768 ?

* 0.0.0.0 0 32768 ?

*> 10.30.44.0/24 10.100.100.3 2816 32768 ?

Network Next Hop Metric LocPrf Weight Path

* 10.30.40.1 2816 32768 ?

* 0.0.0.0 0 32768 ?

*> 10.30.45.0/24 10.100.100.3 2816 32768 ?

* 10.30.40.1 2816 32768 ?

* 0.0.0.0 0 32768 ?

*> 10.30.46.0/24 10.100.100.3 2816 32768 ?

* 10.30.40.1 2816 32768 ?

* 0.0.0.0 0 32768 ?

*> 10.30.47.0/24 0.0.0.0 0 32768 ?

*> 10.30.48.0/24 0.0.0.0 0 32768 ?

*> 10.30.49.0/24 0.0.0.0 0 32768 ?

*> 10.30.50.0/24 0.0.0.0 0 32768 ?

* 10.100.100.0/24 10.30.40.1 2816 32768 ?

* 10.30.44.1 2816 32768 ?

*> 0.0.0.0 0 32768 ?

Route Distinguisher: 65515:100 (default for vrf mapas)

* 10.30.40.0/24 10.30.44.1 2816 32768 ?

* 10.100.100.1 2816 32768 ?

*> 0.0.0.0 0 32768 ?

* 10.30.41.0/24 10.30.44.1 2816 32768 ?

* 10.100.100.1 2816 32768 ?

*> 0.0.0.0 0 32768 ?

Network Next Hop Metric LocPrf Weight Path

* 10.30.42.0/24 10.30.44.1 2816 32768 ?

* 10.100.100.1 2816 32768 ?

*> 0.0.0.0 0 32768 ?

* 10.30.43.0/24 10.30.44.1 2816 32768 ?

* 10.100.100.1 2816 32768 ?

*> 0.0.0.0 0 32768 ?

r 10.30.44.0/24 10.100.100.3 2816 32768 ?

r 10.30.40.1 2816 32768 ?

r> 0.0.0.0 0 32768 ?

r 10.30.45.0/24 10.100.100.3 2816 32768 ?

r 10.30.40.1 2816 32768 ?

r> 0.0.0.0 0 32768 ?

r 10.30.46.0/24 10.100.100.3 2816 32768 ?

r 10.30.40.1 2816 32768 ?

r> 0.0.0.0 0 32768 ?

*> 10.30.47.0/24 0.0.0.0 0 32768 ?

*> 10.30.48.0/24 0.0.0.0 0 32768 ?

*> 10.30.49.0/24 0.0.0.0 0 32768 ?

*> 10.30.50.0/24 0.0.0.0 0 32768 ?

*> 10.100.100.0/24 10.30.40.1 2816 32768 ?

* 10.30.44.1 2816 32768 ?

* 0.0.0.0 0 32768 ?

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 65515:101 (default for vrf mapas)

*> 10.30.40.0/24 10.30.44.1 2816 32768 ?

* 10.100.100.1 2816 32768 ?

* 0.0.0.0 0 32768 ?

*> 10.30.41.0/24 10.30.44.1 2816 32768 ?

* 10.100.100.1 2816 32768 ?

* 0.0.0.0 0 32768 ?

*> 10.30.42.0/24 10.30.44.1 2816 32768 ?

* 10.100.100.1 2816 32768 ?

* 0.0.0.0 0 32768 ?

*> 10.30.43.0/24 10.30.44.1 2816 32768 ?

* 10.100.100.1 2816 32768 ?

* 0.0.0.0 0 32768 ?

* 10.30.44.0/24 10.100.100.3 2816 32768 ?

* 10.30.40.1 2816 32768 ?

*> 0.0.0.0 0 32768 ?

* 10.30.45.0/24 10.100.100.3 2816 32768 ?

* 10.30.40.1 2816 32768 ?

*> 0.0.0.0 0 32768 ?

* 10.30.46.0/24 10.100.100.3 2816 32768 ?

* 10.30.40.1 2816 32768 ?

*> 0.0.0.0 0 32768 ?

Network Next Hop Metric LocPrf Weight Path

*> 10.30.47.0/24 0.0.0.0 0 32768 ?

*> 10.30.48.0/24 0.0.0.0 0 32768 ?

*> 10.30.49.0/24 0.0.0.0 0 32768 ?

*> 10.30.50.0/24 0.0.0.0 0 32768 ?

* 10.100.100.0/24 10.30.40.1 2816 32768 ?

*> 10.30.44.1 2816 32768 ?

* 0.0.0.0 0 32768 ?

CORE-VSS#show ip route vrf mapas

Routing Table: mapas

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 20 subnets, 2 masks

C 10.30.40.0/24 is directly connected, Vlan340

L 10.30.40.254/32 is directly connected, Vlan340

C 10.30.41.0/24 is directly connected, Vlan341

L 10.30.41.254/32 is directly connected, Vlan341

C 10.30.42.0/24 is directly connected, Vlan342

L 10.30.42.254/32 is directly connected, Vlan342

C 10.30.43.0/24 is directly connected, Vlan343

L 10.30.43.254/32 is directly connected, Vlan343

D 10.30.44.0/24 [90/2816] via 10.30.43.1, 00:13:51, Vlan343

[90/2816] via 10.30.42.1, 00:13:51, Vlan342

[90/2816] via 10.30.41.1, 00:13:51, Vlan341

[90/2816] via 10.30.40.1, 00:13:51, Vlan340

D 10.30.45.0/24 [90/2816] via 10.30.43.1, 00:13:51, Vlan343

[90/2816] via 10.30.42.1, 00:13:51, Vlan342

[90/2816] via 10.30.41.1, 00:13:51, Vlan341

[90/2816] via 10.30.40.1, 00:13:51, Vlan340

D 10.30.46.0/24 [90/2816] via 10.30.43.1, 00:13:51, Vlan343

[90/2816] via 10.30.42.1, 00:13:51, Vlan342

[90/2816] via 10.30.41.1, 00:13:51, Vlan341

[90/2816] via 10.30.40.1, 00:13:51, Vlan340

B 10.30.47.0/24 is directly connected (mapa1), 00:16:34, Vlan347

L 10.30.47.254/32 is directly connected, Vlan347

B 10.30.48.0/24 is directly connected (mapa1), 00:16:34, Vlan348

L 10.30.48.254/32 is directly connected, Vlan348

B 10.30.49.0/24 is directly connected (mapa1), 00:16:34, Vlan349

L 10.30.49.254/32 is directly connected, Vlan349

B 10.30.50.0/24 is directly connected (mapa1), 00:16:34, Vlan350

L 10.30.50.254/32 is directly connected, Vlan350

D 10.100.100.0/24 [90/2816] via 10.30.43.1, 00:16:00, Vlan343

[90/2816] via 10.30.42.1, 00:16:00, Vlan342

[90/2816] via 10.30.41.1, 00:16:00, Vlan341

[90/2816] via 10.30.40.1, 00:16:00, Vlan340

CORE-VSS#show ip route vrf mapas1

Routing Table: mapas1

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 19 subnets, 2 masks

D 10.30.40.0/24 [90/2816] via 10.30.46.1, 00:14:36, Vlan346

[90/2816] via 10.30.45.1, 00:14:36, Vlan345

[90/2816] via 10.30.44.1, 00:14:36, Vlan344

D 10.30.41.0/24 [90/2816] via 10.30.46.1, 00:14:36, Vlan346

[90/2816] via 10.30.45.1, 00:14:36, Vlan345

[90/2816] via 10.30.44.1, 00:14:36, Vlan344

D 10.30.42.0/24 [90/2816] via 10.30.46.1, 00:14:36, Vlan346

[90/2816] via 10.30.45.1, 00:14:36, Vlan345

[90/2816] via 10.30.44.1, 00:14:36, Vlan344

D 10.30.43.0/24 [90/2816] via 10.30.46.1, 00:14:36, Vlan346

[90/2816] via 10.30.45.1, 00:14:36, Vlan345

[90/2816] via 10.30.44.1, 00:14:36, Vlan344

C 10.30.44.0/24 is directly connected, Vlan344

L 10.30.44.254/32 is directly connected, Vlan344

C 10.30.45.0/24 is directly connected, Vlan345

L 10.30.45.254/32 is directly connected, Vlan345

C 10.30.46.0/24 is directly connected, Vlan346

L 10.30.46.254/32 is directly connected, Vlan346

C 10.30.47.0/24 is directly connected, Vlan347

L 10.30.47.254/32 is directly connected, Vlan347

C 10.30.48.0/24 is directly connected, Vlan348

L 10.30.48.254/32 is directly connected, Vlan348

C 10.30.49.0/24 is directly connected, Vlan349

L 10.30.49.254/32 is directly connected, Vlan349

C 10.30.50.0/24 is directly connected, Vlan350

L 10.30.50.254/32 is directly connected, Vlan350

D 10.100.100.0/24 [90/2816] via 10.30.46.1, 00:14:36, Vlan346

[90/2816] via 10.30.45.1, 00:14:36, Vlan345

[90/2816] via 10.30.44.1, 00:14:36, Vlan344

teymur azimov · ‎11-03-2013

Can someone help me from Cisco?

Thanks.

jumora · ‎11-03-2013

I think it would be best to open a ticket with TAC since they can use collaborations between routing and ASA teams. Also you need to be more specific, I believe that what you are talking about is the concept of cascading but you need to give out details of what context and what traffic you are originating from the test PC that indicates that when traffic is set on one ASA it works fine but when having both units running active/active mode it does not.

Value our effort and rate the assistance!