05-08-2024 10:18 AM
hi Cisco,
I am using below topology in my lab where ASA in multiple context - C1 and C2 sharing the same physical interface, in different VLANs (sub interface) is not able to establish EIGRP neighborship with 2 cisco routers (point to point). Although, the ASA can ping both routers.
##############ASA Configuration#####################
ASA(config)# sh run context
admin-context admin
context admin
config-url disk0:/admin.cfg
!
context c1
allocate-interface Ethernet1.1 inside_c1
config-url disk0:/c1.cfg
!
context c2
allocate-interface Ethernet1.2 inside_c2
config-url disk0:/c2.cfg
!
########### ASA context C1 configuration ###############
!
interface inside_c1
nameif inside
security-level 100
ip address 10.10.10.10 255.0.0.0
!
!
router eigrp 100
network 10.0.0.0 255.0.0.0
!
##################R1#######################
!
interface GigabitEthernet0/0
ip address 10.10.10.100 255.0.0.0
duplex auto
speed auto
media-type rj45
!
router eigrp 100
network 10.0.0.0
network 17.0.0.0 0.0.0.255
=================ASA context 2========================
!
interface inside_c2
nameif inside
security-level 100
ip address 11.11.11.11 255.0.0.0
hello-interval eigrp 2 12
hold-time eigrp 2 12
!
mtu inside 1500
!
router eigrp 2
neighbor 11.11.11.100 interface inside
network 11.0.0.0 255.0.0.0
!
Note: tried both options by specifying the neighbour IP address.
=================== R2==================
!
interface GigabitEthernet0/0
ip address 11.11.11.100 255.0.0.0
ip hello-interval eigrp 2 12
ip hold-time eigrp 2 12
duplex auto
speed auto
media-type rj45
!
router eigrp 2
network 11.0.0.0
neighbor 11.11.11.11 GigabitEthernet0/0
!
================= Troubleshooting done so far ===============
=====================error logs============================
*May 8 17:52:30.288: %DUAL-5-NBRCHANGE: EIGRP-IPv4 2: Neighbor 11.11.11.11 (GigabitEthernet0/0) is up: new adjacency
*May 8 17:52:30.318: EIGRP-IPv4(2): table(default): 11.0.0.0/8 - do advertise out GigabitEthernet0/0
*May 8 17:52:30.328: EIGRP-IPv4(2): table(default): 11.0.0.0/8 - do advertise out GigabitEthernet0/0
*May 8 17:50:00.968: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.10.10.10 (GigabitEthernet0/0) is down: holding time expired
*May 8 17:50:05.345: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.10.10.10 (GigabitEthernet0/0) is up: new adjacency
####################ping results##########################
ASA/c2(config)# ping 11.11.11.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA/c1(config)# ping 10.10.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
##################### EIGRP flapping ###############
ASA/c1(config)# show eigrp neighbors
EIGRP-IPv4 neighbors for process 100
ASA/c1(config)# show eigrp neighbors
EIGRP-IPv4 neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.10.10.100 inside 14 00:00:00 1 2000 2 2241
05-08-2024 10:25 AM
Is this a bug in my lab ?
05-08-2024 10:37 AM
https://ipwithease.com/configuring-multiple-context-mode-in-cisco-asa/
You need to use VLAN with interface to make ASA send correct eigrp to correct peer using correct vlan tag
Or you can use two link to SW each one connect to specfic vlan instead of using trunk
MHM
05-08-2024 01:44 PM
yep, in the system context the sub interfaces are mapped to the VLAN
!
int e1
no sh
!
int e1.1
vlan 10
int e1.2
vlan 20
!
!
context c1
allocate-interface Ethernet1.1 inside_c1
config-url disk0:/c1.cfg
!
context c2
allocate-interface Ethernet1.2 inside_c2
config-url disk0:/c2.cfg
!
05-08-2024 01:52 PM
Just dont use trunk'
Use one interface for each context
And in SW this interface will connect to SW with correct VLAN
MHM
05-09-2024 01:15 AM
I think physical will work, but I was wondering what's wrong with the virtual / sub interfaces. I have a feeling there is something wrong in my lab setup. Thanks for your response, much appreciated.
I am sure, I did tried something similar in past.
05-09-2024 01:26 AM
Ok' let check what issue
Show interface trunk <-in SW
Share
Show ip eigrp interface details
In both routers
MHM
05-09-2024 07:37 AM
05-11-2024 04:13 AM
I run lab not multi context and I see same issue flapping in one router
the solution was
config eigrp first in router
then config eigrp in ASA
note:- in your case the R2 interface g0/0 there is Zero Peer so it never see ASA
do above workaround
MHM
05-12-2024 05:25 AM
As i remember last i have tried ASA 9.1 (which is available for Lab with Multi-context ) - which is not worked , so that is limitation i guess.
even i tried interface and port-channel sub-interface not worked for me.
real hardware 9.8 onwards works as per the document :
Also check some limitations :
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide