Issue with OSPF running over Cisco ASA

Diabolicus · ‎01-19-2012

Hi,

I am facing an issue with OSPF running over cisco ASA.

I have 2 sites, on both site I have a cisco ASA and a router.

The 2 ASA are connected via a tunnel.

The 2 routers via a leased line.

On all devices I am running OSPF

Normally traffic is going via leased line.

When the leased line goes down, traffic is redirect via the tunnel.

When the leased line back up, traffic is still going via the tunnel and in order to send it back to the leased line I have to clear manually all connections on both firewall.

Is this a normal behaviour or is most likely a mistake in the configuration? How can I eventually solve it?

Thank you

mvsheik123 · ‎01-19-2012

Traffic should fall back to leased line when it backup. Did you check your route statements ? Please post related configs.

Thx

MS

Diabolicus · ‎01-20-2012

Hi MS,

On both firewalls I have a default route that point to the tunnel

S* 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, outside

I need to send only traffic coming from specific vlans via the leased line, the rest is still going via the tunnel.

I configured therefore OSPF like this on the F2

router ospf 1

router-id 2.2.2.2

network 172.16.0.16 255.255.255.248 area 0 <<<

area 0 authentication message-digest

log-adj-changes

redistribute connected subnets route-map ADVERTISE

route-map ADVERTISE permit 10

match ip address PREFIXES

access-list PREFIXES standard permit 10.10.223.0 255.255.255.0 <<<

access-list PREFIXES standard permit 10.10.224.0 255.255.255.0 <<<

access-list PREFIXES standard permit 10.10.225.0 255.255.255.0 <<<

On R2 I have

router ospf 1

router-id 1.1.1.1

log-adjacency-changes

area 0 authentication message-digest

passive-interface default

no passive-interface GigabitEthernet0/0.10 <<

no passive-interface GigabitEthernet0/1.11 << link to F2

network 172.16.0.8 0.0.0.7 area 0 <<

network 172.16.0.16 0.0.0.7 area 0 <<

Similar configuration for F1 and R1

In case leased line fail and then back up,traffic is still taking the default route and I need to run on BOTH firewalls:

Fw#clear conn

to make it working as desidered.

Thank you for your reply anyway

mvsheik123 · ‎01-20-2012

I guess when you 'redistribute connected subnets' without any metri-type ospf uses default metric (20 if I remember correct) which forces. Can you check the routing tables on the routers and try tweaking the metric in 'redistribute' command. That will fix it.

hth

MS

Diabolicus · ‎07-04-2012

Hi , it seems that there is no solution to this.

In fact the problem is that cisco ASA keep existing connections working on a link until interface will go down.

So , new connections will be redirect via the leased line, but old connection will stay on the back up unless cleared manually. Hope this is useful

Janardhan Meesala · ‎07-04-2012

HI Salvatore,

My suggestion is, it is better to configure ISP failover in ASA with interface tracking. Whenever the Leased line goes down then automatically its uses through the VPN( here i am assuming you are using two coneections, one is leased line and another one is normal internet line.)

Finally, Somewhere i studied that IPSec VPN will neve pass multicast and broadcast traffic over the tunnel. So OSPF will not work through the VPN tunnel as it will do multicast the ospf packets.

Regards,

Janardhan