Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1607
Views
0
Helpful
5
Replies

Issue with OSPF running over Cisco ASA

Diabolicus
Level 1
Level 1

‎01-19-2012 08:06 AM - edited ‎03-11-2019 03:16 PM

Hi,

I am facing an issue with OSPF running over cisco ASA.

I have 2 sites, on both site I have a cisco ASA and a router.

The 2 ASA are connected via a tunnel.

The 2 routers via a leased line.

On all devices I am running OSPF

Normally traffic is going via leased line.

When the leased line goes down, traffic is redirect via the tunnel.

When the leased line back up, traffic is still going via the tunnel and  in order to send it back to the leased line I have to clear manually all connections on both firewall.

Is this a normal behaviour or is most likely a mistake in the configuration? How can I eventually solve it?

Thank you

Labels:
120890-topology.jpg
Preview file
27 KB
0 Helpful
5 Replies 5

mvsheik123
Level 7
Level 7

‎01-19-2012 08:16 PM

Traffic should fall back to leased line when it backup. Did you check your route statements ? Please post related configs.

Thx

MS

0 Helpful

Diabolicus
Level 1
Level 1
In response to mvsheik123

‎01-20-2012 03:24 AM

Hi MS,

On both firewalls I have a default route that point to the tunnel

S*   0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, outside

I need to send only traffic coming from specific vlans via the leased line, the rest is still going via the tunnel.

I configured therefore OSPF like this on the F2

router ospf 1       

router-id 2.2.2.2       

network 172.16.0.16 255.255.255.248 area 0        <<<

area 0 authentication message-digest       

log-adj-changes       

redistribute connected subnets route-map ADVERTISE   

route-map ADVERTISE permit 10   

match ip address PREFIXES   

access-list PREFIXES standard permit 10.10.223.0 255.255.255.0    <<<

access-list PREFIXES standard permit 10.10.224.0 255.255.255.0    <<<

access-list PREFIXES standard permit 10.10.225.0 255.255.255.0    <<<

On R2 I have

router ospf 1

router-id 1.1.1.1

log-adjacency-changes

area 0 authentication message-digest

passive-interface default

no passive-interface GigabitEthernet0/0.10 <<

no passive-interface GigabitEthernet0/1.11 << link to F2

network 172.16.0.8 0.0.0.7 area 0 <<

network 172.16.0.16 0.0.0.7 area 0 <<

Similar configuration for F1 and R1

In case leased line fail and then back up,traffic is still taking the default route and I need to run on BOTH firewalls:

Fw#clear conn

to make it working as desidered.

Thank you for your reply anyway

0 Helpful

mvsheik123
Level 7
Level 7
In response to Diabolicus

‎01-20-2012 04:49 AM

I guess when you 'redistribute connected subnets' without any metri-type ospf uses default metric (20 if I remember correct) which forces. Can you check the routing tables on the routers and try tweaking the metric in 'redistribute' command. That will fix it.

hth

MS

0 Helpful

Diabolicus
Level 1
Level 1
In response to mvsheik123

‎07-04-2012 06:29 AM

Hi , it seems that there is no solution to this.

In fact the problem is that cisco ASA keep existing connections working on a link until interface will go down.

So , new connections will be redirect via the leased line, but old connection will stay on the back up unless cleared manually. Hope this is useful

0 Helpful

Janardhan Meesala
Level 1
Level 1
In response to Diabolicus

‎07-04-2012 06:54 AM

HI Salvatore,

My suggestion is, it is better to configure ISP failover in ASA with interface tracking. Whenever the Leased line goes down then automatically its uses through the VPN( here  i am assuming you are using two coneections, one is leased line and another one is normal internet line.)

Finally, Somewhere i studied that IPSec VPN will neve pass multicast and broadcast traffic over the tunnel. So OSPF will not work through the VPN tunnel as it will do multicast the ospf packets.

Regards,

Janardhan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top