07-17-2017 12:50 PM - edited 03-12-2019 02:42 AM
I had a funny issue come up recently. I replaced a single ASA 5510 firewall with an active/standby pair of new ASA 5516-x's. On that LAN the ASA(s) peer EIGRP with both the core switch stack and the local WAN router. Nothing fancy. The only thing unusual about the EIGRP configuration on the firewall is that it has a redistribute route map for reverse route injection.
EIGRP works fine except when I fail over the stack. When active/standby roles swap the primary ASA (the one that becomes primary) loses it neighbor relationship with both the core switch stack and the WAN router and will not re-establish. (I waited 20-30 minutes in testing and the neighbor sessions didn't re-establish so I'm pretty sure it's not some timeout thing.) Similarly, the "clear eigrp neighbors" command doesn't do anything. A "show eigrp neighbors" command still shows a blank neighbor list -and the ASA doesn't learn any routes.
The only thing that brings it back is to blow away the eigrp configuration (clear configure router eigrp) and then reload the eigrp configuration. Once I do that it syncs right up. But then the next time it fails I get the same thing.
I'm aware of the thing where the secondary unit doesn't peer EIGRP in an active/standby failover pair. That's not what this is. This is a case where immediately after a failover neither the primary nor the secondary will peer.
I initially had the pair running on the 9.6(3)-1 code. Thinking it might be a code bug I tried 9.4(4)-5, but found the same thing.
Has anyone else seen this or know what might be wrong? I know that conceptually the idea of running EIGRP in an active/standby pair is fine. I have another customer where I do it with a pair of 5515-x's and it works fine. The only differences there are that there's no redistributed route map and they are running on 9.2(4).
Thanks,
Ben
07-18-2017 12:29 PM
Hi Ben,
Have you tried to enable the debugs when the active/standby roles swapped? If no, then can you enable the eigrp debugs on switch and ASA to see what is happening.
07-18-2017 12:31 PM
I did try that but nothing showed up in the debug logs.
10-27-2017 07:36 AM
I hit the same issue and knew it was a bug but had no luck finding it.
Opened a TAC case - and they found this. The workaround worked for me.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide