Solved: Cisco ASA 8.6 -> EIGRP not working

groupalia · ‎09-25-2012

Hi!

We have 2 ASA5510 and 2 ASA5525. Got a very weird error; up to release 8.4 eigrp works fine, after upgrading to 8.6 eigrp stops working.

If i do 'sh ei nei' i get this after upgrade to 8.6:

GRPCPDFW01# sh ei neighbors de

EIGRP-IPv4 neighbors for process 100

Can't see any neighbors; but same command from another asa on same network but with release 8.4:

GRPCPDFW02# sh eigrp neighbors de

EIGRP-IPv4 neighbors for process 100

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

4 10.5.1.3 Ma0/0 10 00:00:09 1 4500 1 0

Version 8.6/3.0, Retrans: 2, Retries: 2, Waiting for Init, Waiting for Init A

ck

Topology-ids from peer - 0

UPDATE seq 69932 ser 0-0 Sent 9320 Init Sequenced

1 172.16.150.1 Et0/0 12 3w2d 1 200 0 3813

Version 5.2/3.0, Retrans: 0, Retries: 0

Topology-ids from peer - 0

0 172.16.150.2 Et0/0 10 3w2d 1 200 0 10842

Version 8.0/2.0, Retrans: 0, Retries: 0

Topology-ids from peer - 0

3 10.20.1.2 Et0/1.201 10 14w5d 1 200 0 41791

Version 8.0/2.0, Retrans: 150, Retries: 0

Topology-ids from peer - 0

2 10.5.1.2 Ma0/0 14 14w5d 2 200 0 23542

Version 5.2/3.0, Retrans: 10, Retries: 0

Topology-ids from peer - 0

Stub Peer Advertising ( CONNECTED SUMMARY ) Routes

Suppressing queries

As you can see, 10.5.1.3 is the ASA5525 with 8.6; also detected this on the logs, from a switch 3750 connected on same network with eigrp on:

Sep 25 21:15:23.818: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.5.1.3 (Vlan5

1) is down: retry limit exceeded

Sep 25 21:15:28.473: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.5.1.3 (Vlan5

1) is up: new adjacency

keeps saying this every minute.

Can anyone help me on this? I want to put the 5525 on production but would like to do it with latest release; could this be a bug on 8.6?

thanks in advance!

xavier

Julio Carvajal · ‎09-27-2012

Hello Xavier,

Correct, that is why I asked you to remove the managment-interface keyword on the managment interface( this is not supported on this X plattaforms)

I will review the show run from both devices.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎09-25-2012

Hello Xavier,

So if you run ASA version 8.6 the EIGRP neighborship does not go up!

If you run 8.4 it goes up.

Can you share the configuration of the ASA running 8.6 and one of its directly connected neighbors.

I might need to ask you to run some debugs afterwards but lets start with the basic:

1-Exact OS version you are running on the ASA

2-On the ASA 55225 running 8.6:

show eigrp events

capture test interface nameif_interface_connected_to_eigrp_neighbor match eigrp any any

Finally provide me the show cap test

Any other question...Sure.. Just remember to rate all of the helpful posts

Regards

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

groupalia · ‎09-26-2012

Hi Julio!

exactly, if i upgrade to 8.6 i cannot see any neighborship; going to 8.4 goes fine again, without changing anything else.

Your answers:

1 .ASA Version 8.6(1)2

2.

GRPCPDFW01# sh ei eve

Event information for AS 100: Event log is empty.

GRPCPDFW01# show cap test

26 packets captured

   1: 02:39:02.009658 10.5.1.2 > 10.5.1.3: ip-proto-88, length 20
   2: 02:39:02.948666 10.5.1.3 > 224.0.0.10: ip-proto-88, length 40
   3: 02:39:04.224002 10.5.1.1 > 10.5.1.3: ip-proto-88, length 20
   4: 02:39:07.017073 10.5.1.2 > 10.5.1.3: ip-proto-88, length 20
   5: 02:39:07.568680 10.5.1.3 > 224.0.0.10: ip-proto-88, length 40
   6: 02:39:09.223377 10.5.1.1 > 10.5.1.3: ip-proto-88, length 20
   7: 02:39:12.024428 10.5.1.2 > 10.5.1.3: ip-proto-88, length 20
   8: 02:39:12.378703 10.5.1.3 > 224.0.0.10: ip-proto-88, length 40
   9: 02:39:14.222995 10.5.1.1 > 10.5.1.3: ip-proto-88, length 20
10: 02:39:16.648693 10.5.1.3 > 224.0.0.10: ip-proto-88, length 40
11: 02:39:17.031858 10.5.1.2 > 10.5.1.3: ip-proto-88, length 20
12: 02:39:19.222202 10.5.1.1 > 10.5.1.3: ip-proto-88, length 20
13: 02:39:21.208714 10.5.1.3 > 224.0.0.10: ip-proto-88, length 40
14: 02:39:22.039258 10.5.1.2 > 10.5.1.3: ip-proto-88, length 20
15: 02:39:24.221652 10.5.1.1 > 10.5.1.3: ip-proto-88, length 20
16: 02:39:26.098719 10.5.1.3 > 224.0.0.10: ip-proto-88, length 40
17: 02:39:27.046628 10.5.1.2 > 10.5.1.3: ip-proto-88, length 20
18: 02:39:29.221012 10.5.1.1 > 10.5.1.3: ip-proto-88, length 20
19: 02:39:30.408700 10.5.1.3 > 224.0.0.10: ip-proto-88, length 40
20: 02:39:32.054059 10.5.1.2 > 10.5.1.3: ip-proto-88, length 20
21: 02:39:34.220523 10.5.1.1 > 10.5.1.3: ip-proto-88, length 20
22: 02:39:34.998666 10.5.1.3 > 224.0.0.10: ip-proto-88, length 40
23: 02:39:39.219867 10.5.1.1 > 10.5.1.3: ip-proto-88, length 20
24: 02:39:39.818667 10.5.1.3 > 224.0.0.10: ip-proto-88, length 40
25: 02:39:39.837618 10.5.1.2 > 10.5.1.3: ip-proto-88, length 20
26: 02:39:41.842180 10.5.1.2 > 10.5.1.3: ip-proto-88, length 20
26 packets shown

About the router conf; i can email it to you, its quite big! lots of objects, etc... any way i put here the basic eigrp conf and interface connecting to other eigrp peers:

router eigrp 100

no auto-summary

network 10.5.1.0 255.255.255.0

network 10.10.1.0 255.255.255.0

network 10.11.1.0 255.255.255.0

network 10.12.1.0 255.255.255.0

network 10.13.1.0 255.255.255.0

network 10.20.1.0 255.255.255.0

network 10.252.1.0 255.255.255.0

network 10.253.1.0 255.255.255.0

network 10.254.1.0 255.255.255.0

network 172.16.150.0 255.255.254.0

redistribute static

interface Management0/0
nameif management
security-level 100
ip address 10.5.1.3 255.255.255.0 standby 10.5.1.4
management-only

thanks!

xavier

groupalia · ‎09-26-2012

Hi

Let me say that im doing the process of upgrading/downgrading on the ASA5510; I cannot do it on the ASA 5525-X because theres no downgrade from 8.6 to 8.4.

thanks

Julio Carvajal · ‎09-26-2012

Hello Xavier,

Do the following

cap asp type asp-drop all circular-buffer

interface Management0/0

no managment-only

Then after a few seconds do a show cap asp | include 10.5.1.3

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

groupalia · ‎09-26-2012

hi!

first i got this message:

GRPCPDFW01(config)# interface management 0/0

GRPCPDFW01(config-if)# no management-only

ERROR: It is not allowed to make changes to this option for management interface

on this platform.

after the capture got me this:

GRPCPDFW01# show cap asp | include 10.5.1.3

GRPCPDFW01#

thanks

by the way; ospf runs fine, only eigrp is failing.

Julio Carvajal · ‎09-26-2012

Hello Xavier,

Is OSPF also running or is the neigborship being stablished on this interface as well (interface management 0/0)

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

groupalia · ‎09-26-2012

hi julio

ospf is running and talking with neighbor; catalyst 3750X, on the same interface:

router ospf 100

router-id 10.5.1.3

network 10.5.1.0 255.255.255.0 area 100

area 100

log-adj-changes

installed today to check if it was working; im redistributing routes also from eigrp to ospf with success.

by the way, the capture showed something:

GRPCPDFW01# show cap asp | include 10.5.1.3

6147: 16:44:24.228351 10.5.1.2 > 10.5.1.3: icmp: redirect 172.20.1.54 to host 10

.5.1.1

6170: 16:44:27.559404 10.5.1.2 > 10.5.1.3: icmp: redirect 172.20.1.54 to host 10

.5.1.1

Julio Carvajal · ‎09-26-2012

Hello Xavier,

Please check your inbox ( I just send you a private message)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

groupalia · ‎09-27-2012

Julio,

installed eigrp on interface g0/0, instead of mgmt0/0; works!

Seems like mgmt0/0 is not able to work with eigrp (but with OSPF!)

Really weird but seems a limitation on mgmt port and eigrp.

xavi

Julio Carvajal · ‎09-27-2012

Hello Xavier,

Correct, that is why I asked you to remove the managment-interface keyword on the managment interface( this is not supported on this X plattaforms)

I will review the show run from both devices.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

groupalia · ‎10-18-2012

After playing more with this; seems like from 8.6 release you cannot do any kind of routing with a source on management0/0 iface.

For example, installed the IPS module; linked on management interface; i cant get the ips on that interface to access internet or any other server on other interfaces.(of course, nat and acl are ok)

Is this a new limitation for this interface or a bug?

xavier.

groupalia · ‎10-18-2012

To who can help in the future, saw the official DOC:

Management 0/0 Interface on the ASA 5500-X Series

You manage the ASA through the Management 0/0 interface on the ASA 5512-X through ASA 5555-X models. The Management 0/0 interface has the following characteristics:

•No through traffic support

•No subinterface support

•No priority queue support

•No multicast MAC support

•The IPS SSP software module and the ASA share the Management 0/0 interface; however, each has its own separate MAC addresses and IP addresses. You must configure the IPS IP address within the IPS operating system. However, you configure physical characteristics (such as enabling the interface) on the ASA.