Re: eigrp on ASA

standrews · ‎03-19-2019

Hi I am trying to use eigrp on the cisco asa, simple setup (see diagram below)

the link between sw1 and sw2 is just trunk (allow all the vlans)

the link between sw2 and ASA is a layer3 link

2 svi created on sw1

===============================================

hostname sw1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone EET 2 0
!
ip cef
!
!
no ipv6 cef
ipv6 multicast rpf use-bgp
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
duplex auto
!
interface Ethernet0/1
duplex auto
!
interface Ethernet0/2
duplex auto
!
interface Ethernet0/3
duplex auto
!
interface Vlan202
ip address 192.168.1.1 255.255.255.0
!
interface Vlan203
ip address 192.168.2.1 255.255.255.0
!
!
router eigrp 10
network 192.168.0.0 0.0.255.255
!
!
no ip http server
!
!
!
!
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
end

====================================================================

hostname sw2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone EET 2 0
!
ip cef
!
!
no ipv6 cef
ipv6 multicast rpf use-bgp
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
duplex auto
!
interface Ethernet0/1
switchport access vlan 203
duplex auto
!
interface Ethernet0/2
duplex auto
!
interface Ethernet0/3
duplex auto
!
!
no ip http server
!
!
!
!
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
end

======================================================================

hostname ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
pager lines 24
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp timeout 14400
!
router eigrp 10
network 192.168.0.0 255.255.0.0
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:2909b4530ac7da987c55507885401501
: end

==================================================================

once the eigrp neighbor forms, it keeps up and down, I tried to allow ip any any and allow eigrp on the ASA, but that doesn't make any difference (see output below)

=======================================================================================

sw1#
*Mar 19 11:07:50.275: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.2.2 (Vlan203) is down: holding time expired
sw1#
*Mar 19 11:07:53.931: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.2.2 (Vlan203) is up: new adjacency
sw1#
*Mar 19 11:08:09.183: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.2.2 (Vlan203) is down: holding time expired
sw1#
*Mar 19 11:08:13.554: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.2.2 (Vlan203) is up: new adjacency
sw1#
*Mar 19 11:08:28.858: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.2.2 (Vlan203) is down: holding time expired
sw1#
*Mar 19 11:08:31.803: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.2.2 (Vlan203) is up: new adjacency
sw1#
*Mar 19 11:08:47.050: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.2.2 (Vlan203) is down: holding time expired
sw1#
*Mar 19 11:08:50.927: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.2.2 (Vlan203) is up: new adjacency
sw1#
*Mar 19 11:09:06.179: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.2.2 (Vlan203) is down: holding time expired
sw1#
*Mar 19 11:09:09.520: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.2.2 (Vlan203) is up: new adjacency
sw1#
*Mar 19 11:09:24.771: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.2.2 (Vlan203) is down: holding time expired
sw1#
*Mar 19 11:09:28.100: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.2.2 (Vlan203) is up: new adjacency
sw1#
*Mar 19 11:09:43.359: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.2.2 (Vlan203) is down: holding time expired
sw1#
*Mar 19 11:09:46.889: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.2.2 (Vlan203) is up: new adjacency
sw1#
*Mar 19 11:10:02.128: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.2.2 (Vlan203) is down: holding time expired
sw1#
*Mar 19 11:10:04.616: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.2.2 (Vlan203) is up: new adjacency
sw1#
*Mar 19 11:10:19.867: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.2.2 (Vlan203) is down: holding time expired
sw1#
*Mar 19 11:10:22.865: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.2.2 (Vlan203) is up: new adjacency
sw1#
*Mar 19 11:10:38.099: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.2.2 (Vlan203) is down: holding time expired
sw1#

========================================================================================

I debug the eigrp hello packet on the ASA and looks like it's receiving termination from it's peer (which is the sw1)

==============================================================================

ASA(config)# EIGRP: Sending HELLO on Ethernet1
AS 655361, Flags 0x0, Seq 0/0 interfaceQ 0/1 iidbQ un/rely 0/0
EIGRP: Received HELLO on Ethernet1 nbr 192.168.2.1
AS 655361, Flags 0x0, Seq 0/0 interfaceQ 0/0
EIGRP: Sending HELLO on Ethernet1
AS 655361, Flags 0x0, Seq 0/0 interfaceQ 0/1 iidbQ un/rely 0/1
EIGRP(0:10): Processing incoming UPDATE packet
EIGRP-IPv4(Default-IP-Routing-Table:10): route installed for 192.168.1.0 ()
EIGRP: Received HELLO on Ethernet1 nbr 192.168.2.1
AS 655361, Flags 0x0, Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
EIGRP: Received HELLO on Ethernet1 nbr 192.168.2.1
AS 655361, Flags 0x0, Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
EIGRP: Received HELLO on Ethernet1 nbr 192.168.2.1
AS 655361, Flags 0x0, Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
EIGRP: Received HELLO on Ethernet1 nbr 192.168.2.1
AS 655361, Flags 0x0, Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
Interface PEER-TERMINATION received

=====================================================================

any idea what's caused this? thanks in advance

standrews · ‎03-19-2019

any suggestion guys? thanks

standrews · ‎03-19-2019

any thoughts guys? thanks

Ilkin · ‎03-19-2019

Is this happening in a virtual environment like EVE or are all of them hardware appliances?
Connetivity is not bidirectional, SW1 stops receiving hello packets from the ASA, while ASA receives hello packets from the.
You can try to disable igmp snooping on sw2 and see how it behaves.

standrews · ‎03-20-2019

Hi Thanks llkin

This is on the virtual environment EVE, I have tried to disable the igmp globally on sw2 and also on vlan 203, but that didn't make any difference, any other thoughts? thanks in advance

standrews · ‎03-21-2019

any more suggestion? thanks

pappacrunch · ‎03-22-2019

Are you able to ping 192.168.2.1 from the ASA ?

If you can reach with no issues try adding an access list to the inside interface permitting EIGRP or IP traffic.

access-list eigrptest extended permit eigrp any any
access-group eigrptest in interface inside

Hope this helps.

standrews · ‎03-25-2019

Thanks pappacrunch

yes I can ping 192.168.2.1 from the ASA, as it's connected and on the same vlan.

I have already tried to allow eigrp on the ASA, but that's not working, as you can see from the debug, the termination actually is sent from the sw1, I checked all the hello time mismatch .etc. but all looks fine

I have also tried to use the eigrp neighbour command to manually assign the neighbour to avoid any multicast issue, but still no luck

any other suggestion? or this is just the limitation of the eve? thanks

Ilkin · ‎03-26-2019

You can try to bypass SW2 and connect ASA directly to SW1. Sometimes unexpected behaviour happens on virtual environment.

Deepak Kumar · ‎03-26-2019

Hi,

Remove the SW2 and try again. I hope you will get success. Once I have faced the same issue with GNS3 but after restart the GNS3 project, my issue as fixed. But I hope you tested with restart the project so remove the switch2.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!