11-28-2023 03:55 AM
Hi There,
Currently, I'm testing OSPF on the ASA firewall. Below is the topology I'm working on.
Both areas 1 and 2 have been set up as a stubby area. On R5 I'm able to see the OSPF ECMP 0.0.0.0/0 routes towards R2 and R3. But on the other hand, ASA is showing only one 0.0.0.0/0 towards one ABR only.
ciscoasa# show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 10.10.12.2 to network 0.0.0.0
O*IA 0.0.0.0 0.0.0.0 [110/11] via 10.10.12.2, 00:01:16, uplink2
C 1.1.1.0 255.255.255.0 is directly connected, lan
L 1.1.1.1 255.255.255.255 is directly connected, lan
O 3.3.3.3 255.255.255.255 [110/11] via 10.10.13.3, 03:14:36, uplink1
C 10.10.12.0 255.255.255.0 is directly connected, uplink2
L 10.10.12.1 255.255.255.255 is directly connected, uplink2
C 10.10.13.0 255.255.255.0 is directly connected, uplink1
L 10.10.13.1 255.255.255.255 is directly connected, uplink1
ciscoasa# sh ospf database
OSPF Router with ID (10.10.10.10) (Process ID 1)
Router Link States (Area 1)
Link ID ADV Router Age Seq# Checksum Link count
2.2.2.2 2.2.2.2 1825 0x8000003d 0x5545 1
3.3.3.3 3.3.3.3 1925 0x8000003f 0xea84 2
10.10.10.10 10.10.10.10 1695 0x80000041 0xe4f6 3
Net Link States (Area 1)
Link ID ADV Router Age Seq# Checksum
10.10.12.2 2.2.2.2 1825 0x8000003a 0xb5f2
10.10.13.3 3.3.3.3 1925 0x80000016 0xecd5
Summary Net Link States (Area 1)
Link ID ADV Router Age Seq# Checksum
0.0.0.0 2.2.2.2 1825 0x80000039 0x 5f8
0.0.0.0 3.3.3.3 76 0x8000003c 0xe016
ciscoasa# sh ospf database summary
OSPF Router with ID (10.10.10.10) (Process ID 1)
Summary Net Link States (Area 1)
Routing Bit Set on this LSA
LS age: 1832
Options: (No TOS-capability, DC, Upward)
LS Type: Summary Links(Network)
Link State ID: 0.0.0.0 (summary Network Number)
Advertising Router: 2.2.2.2
LS Seq Number: 80000039
Checksum: 0x5f8
Length: 28
Network Mask:0.0.0.0
TOS: 0 Metric: 1
Routing Bit Set on this LSA
LS age: 84
Options: (No TOS-capability, DC, Upward)
LS Type: Summary Links(Network)
Link State ID: 0.0.0.0 (summary Network Number)
Advertising Router: 3.3.3.3
LS Seq Number: 8000003c
Checksum: 0xe016
Length: 28
Network Mask:0.0.0.0
TOS: 0 Metric: 1
ciscoasa#
OSPF database contains two default routes in its database. Is this an expected behavior?
Thanks in Advance
Solved! Go to Solution.
11-28-2023 06:16 AM
9.12 must support ecmp
But there is also limitations
The asa with non zone cannot add same destination through multi interface
You need to add zone routing to make asa accpet igp ecmp through multiple interfaces.
Check link below for more information.
11-28-2023 04:04 AM
Asa receive two ospf ecmp defualt route but it use only one in rib.
It asa limitations it dont support ecmp.
New asa ver. Support it. Which ver. Your asa?
MHM
11-28-2023 04:10 AM
Thank you for the response.
We are running on version 9.12(4).
May I know whether there is any document to confirm from which version this feature is supported?
11-28-2023 06:16 AM
9.12 must support ecmp
But there is also limitations
The asa with non zone cannot add same destination through multi interface
You need to add zone routing to make asa accpet igp ecmp through multiple interfaces.
Check link below for more information.
11-29-2023 03:04 AM
Thank you @MHM Cisco World. I have enabled the zone in my lab and now I'm able to see the ECMP routes.
If we are enabling this feature in the production network , then do we need to amend the firewall rules from the interface to zone?
11-29-2023 06:06 AM - edited 11-29-2023 06:07 AM
Zone is more than config acl'
There are many many restrictions that why it is so rare use.
Some not all restrictions
It have restriction for PAT
It have restriction for VPN
And more.
Check the guide I share' do lab test before applying in real.
Good luck freind
MHM
11-29-2023 07:47 AM
Thank you @MHM Cisco World for your valuable input
Cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide