cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4081
Views
9
Helpful
12
Replies

Cisco ASA 8.6 -> EIGRP not working

groupalia
Level 1
Level 1

Hi!

We have 2 ASA5510 and 2 ASA5525. Got a very weird error; up to release 8.4 eigrp works fine, after upgrading to 8.6 eigrp stops working.

If i do 'sh ei nei' i get this after upgrade to 8.6:

GRPCPDFW01# sh ei neighbors de

EIGRP-IPv4 neighbors for process 100

Can't see any neighbors; but same command from another asa on same network but with release 8.4:

GRPCPDFW02# sh eigrp neighbors  de

EIGRP-IPv4 neighbors for process 100

H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq

                                            (sec)         (ms)       Cnt Num

4   10.5.1.3                Ma0/0            10  00:00:09 1    4500  1   0

   Version 8.6/3.0, Retrans: 2, Retries: 2, Waiting for Init, Waiting for Init A

ck

   Topology-ids from peer - 0

    UPDATE seq 69932 ser 0-0 Sent 9320 Init Sequenced

1   172.16.150.1            Et0/0            12      3w2d 1    200   0   3813

   Version 5.2/3.0, Retrans: 0, Retries: 0

   Topology-ids from peer - 0

0   172.16.150.2            Et0/0            10      3w2d 1    200   0   10842

   Version 8.0/2.0, Retrans: 0, Retries: 0

   Topology-ids from peer - 0

3   10.20.1.2               Et0/1.201        10     14w5d 1    200   0   41791

   Version 8.0/2.0, Retrans: 150, Retries: 0

   Topology-ids from peer - 0

2   10.5.1.2                Ma0/0            14     14w5d 2    200   0   23542

   Version 5.2/3.0, Retrans: 10, Retries: 0

   Topology-ids from peer - 0

   Stub Peer Advertising ( CONNECTED SUMMARY ) Routes

   Suppressing queries

As you can see, 10.5.1.3 is the ASA5525 with 8.6; also detected this on the logs, from a switch 3750 connected on same network with eigrp on:

Sep 25 21:15:23.818: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.5.1.3 (Vlan5

1) is down: retry limit exceeded

Sep 25 21:15:28.473: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.5.1.3 (Vlan5

1) is up: new adjacency

keeps saying this every  minute.

Can anyone help me on this? I want to put the 5525 on production but would like to do it with latest release; could this be a bug on 8.6?

thanks in advance!

xavier

1 Accepted Solution

Accepted Solutions

Hello Xavier,

Correct, that is why I asked you to remove the managment-interface keyword on the managment interface( this is not supported on this X plattaforms)

I will review the show run from both devices.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

12 Replies 12

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Xavier,

So if you run ASA version 8.6 the EIGRP neighborship does not go up!

If you run 8.4 it goes up.

Can you share the configuration of the ASA running 8.6 and one of its directly connected neighbors.

I might need to ask you to run some debugs afterwards but lets start with the basic:

1-Exact OS version you are running on the ASA

2-On the ASA 55225 running 8.6:

     show eigrp events

     capture test interface nameif_interface_connected_to_eigrp_neighbor match eigrp any any

     Finally provide me the show cap test

Any other question...Sure.. Just remember to rate all of the helpful posts

Regards

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio!

exactly, if i upgrade to 8.6 i cannot see any neighborship; going to 8.4 goes fine again, without changing anything else.

Your answers:

1 .ASA Version 8.6(1)2

2.

GRPCPDFW01# sh ei eve

Event information for AS 100:  Event log is empty.

GRPCPDFW01# show cap test

26 packets captured

   1: 02:39:02.009658 10.5.1.2 > 10.5.1.3:  ip-proto-88, length 20
   2: 02:39:02.948666 10.5.1.3 > 224.0.0.10:  ip-proto-88, length 40
   3: 02:39:04.224002 10.5.1.1 > 10.5.1.3:  ip-proto-88, length 20
   4: 02:39:07.017073 10.5.1.2 > 10.5.1.3:  ip-proto-88, length 20
   5: 02:39:07.568680 10.5.1.3 > 224.0.0.10:  ip-proto-88, length 40
   6: 02:39:09.223377 10.5.1.1 > 10.5.1.3:  ip-proto-88, length 20
   7: 02:39:12.024428 10.5.1.2 > 10.5.1.3:  ip-proto-88, length 20
   8: 02:39:12.378703 10.5.1.3 > 224.0.0.10:  ip-proto-88, length 40
   9: 02:39:14.222995 10.5.1.1 > 10.5.1.3:  ip-proto-88, length 20
  10: 02:39:16.648693 10.5.1.3 > 224.0.0.10:  ip-proto-88, length 40
  11: 02:39:17.031858 10.5.1.2 > 10.5.1.3:  ip-proto-88, length 20
  12: 02:39:19.222202 10.5.1.1 > 10.5.1.3:  ip-proto-88, length 20
  13: 02:39:21.208714 10.5.1.3 > 224.0.0.10:  ip-proto-88, length 40
  14: 02:39:22.039258 10.5.1.2 > 10.5.1.3:  ip-proto-88, length 20
  15: 02:39:24.221652 10.5.1.1 > 10.5.1.3:  ip-proto-88, length 20
  16: 02:39:26.098719 10.5.1.3 > 224.0.0.10:  ip-proto-88, length 40
  17: 02:39:27.046628 10.5.1.2 > 10.5.1.3:  ip-proto-88, length 20
  18: 02:39:29.221012 10.5.1.1 > 10.5.1.3:  ip-proto-88, length 20
  19: 02:39:30.408700 10.5.1.3 > 224.0.0.10:  ip-proto-88, length 40
  20: 02:39:32.054059 10.5.1.2 > 10.5.1.3:  ip-proto-88, length 20
  21: 02:39:34.220523 10.5.1.1 > 10.5.1.3:  ip-proto-88, length 20
  22: 02:39:34.998666 10.5.1.3 > 224.0.0.10:  ip-proto-88, length 40
  23: 02:39:39.219867 10.5.1.1 > 10.5.1.3:  ip-proto-88, length 20
  24: 02:39:39.818667 10.5.1.3 > 224.0.0.10:  ip-proto-88, length 40
  25: 02:39:39.837618 10.5.1.2 > 10.5.1.3:  ip-proto-88, length 20
  26: 02:39:41.842180 10.5.1.2 > 10.5.1.3:  ip-proto-88, length 20
26 packets shown

About the router conf; i can email it to you, its quite big! lots of objects, etc... any way i put here the basic eigrp conf and interface connecting to other eigrp peers:

router eigrp 100

no auto-summary

network 10.5.1.0 255.255.255.0

network 10.10.1.0 255.255.255.0

network 10.11.1.0 255.255.255.0

network 10.12.1.0 255.255.255.0

network 10.13.1.0 255.255.255.0

network 10.20.1.0 255.255.255.0

network 10.252.1.0 255.255.255.0

network 10.253.1.0 255.255.255.0

network 10.254.1.0 255.255.255.0

network 172.16.150.0 255.255.254.0

redistribute static

interface Management0/0
nameif management
security-level 100
ip address 10.5.1.3 255.255.255.0 standby 10.5.1.4
management-only

thanks!

xavier

Hi

Let me say that im doing the process of upgrading/downgrading on the ASA5510; I cannot do it on the ASA 5525-X because theres no downgrade from 8.6 to 8.4.

thanks

Hello Xavier,

Do the following

cap asp type asp-drop all circular-buffer

interface Management0/0

no managment-only

Then after a few seconds do a show cap asp | include 10.5.1.3

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

hi!

first i got this message:

GRPCPDFW01(config)# interface management 0/0

GRPCPDFW01(config-if)# no management-only

ERROR: It is not allowed to make changes to this option for management interface

on this platform.

after the capture got me this:

GRPCPDFW01# show cap asp | include 10.5.1.3

GRPCPDFW01#

thanks

by the way; ospf runs fine, only eigrp is failing.

Hello Xavier,

Is OSPF also running or is the neigborship being stablished on this interface as well (interface management 0/0)

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

hi julio

ospf is running and talking with neighbor; catalyst 3750X, on the same interface:

router ospf 100

router-id 10.5.1.3

network 10.5.1.0 255.255.255.0 area 100

area 100

log-adj-changes

installed today to check if it was working; im redistributing routes also from eigrp to ospf with success.

by the way, the capture showed something:

GRPCPDFW01# show cap asp | include 10.5.1.3

6147: 16:44:24.228351 10.5.1.2 > 10.5.1.3: icmp: redirect 172.20.1.54 to host 10

.5.1.1

6170: 16:44:27.559404 10.5.1.2 > 10.5.1.3: icmp: redirect 172.20.1.54 to host 10

.5.1.1

Hello Xavier,

Please check your inbox ( I just send you a private message)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio,

installed eigrp on interface g0/0, instead of mgmt0/0; works!

Seems like mgmt0/0 is not able to work with eigrp (but with OSPF!)

Really weird but seems a limitation on mgmt port and eigrp.

xavi

Hello Xavier,

Correct, that is why I asked you to remove the managment-interface keyword on the managment interface( this is not supported on this X plattaforms)

I will review the show run from both devices.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

After playing more with this; seems like from 8.6 release you cannot do any kind of routing with a source on management0/0 iface.

For example, installed the IPS module; linked on management interface; i cant get the ips on that interface to access internet or any other server on other interfaces.(of course, nat and acl are ok)

Is this a new limitation for this interface or a bug?

xavier.

To who can help in the future, saw the official DOC:

Management 0/0 Interface on the ASA 5500-X Series

You manage the ASA through the Management 0/0 interface on the ASA 5512-X through ASA 5555-X models. The Management 0/0 interface has the following characteristics:

No through traffic support

No subinterface support

No priority queue support

No multicast MAC support

The IPS SSP software module and the ASA share the Management 0/0 interface; however, each has its own separate MAC addresses and IP addresses. You must configure the IPS IP address within the IPS operating system. However, you configure physical characteristics (such as enabling the interface) on the ASA.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: