Solved: Multiple context - EIGRP between shared interfaces

Rolando Valenzuela · ‎12-11-2017

Not sure if I should be posting on the firewall or routing section, but here it goes.

I have multiple routers and one firewalls with two context ruining on the same subnet with EIGRP enabled, everything is working between routers and firewalls, the problem is between the firewall itself, one context cannot see the other and I dont have idea of how to troubleshooting.

######## CONTEXT 1

interface Port-channel13.101
 nameif transit
 security-level 0
 ip address 10.10.101.36 255.255.255.0 standby 10.10.101.37
!
router eigrp 100
 eigrp router-id 10.10.101.36
 network 10.10.101.36 255.255.255.255
 passive-interface default
 no passive-interface transit
 redistribute connected

######## CONTEXT 2

interface Port-channel13.101
 nameif transit
 security-level 0
 ip address 10.10.101.38 255.255.255.0 standby 10.10.101.39
!
router eigrp 100
 eigrp router-id 10.10.101.38
 network 10.10.101.38 255.255.255.255
 passive-interface default
 no passive-interface transit
 redistribute connected
!

Marvin Rhoads · ‎12-15-2017

Sorry, but "EIGRP instances cannot form adjacencies with each other across shared interfaces because inter-context exchange of multicast traffic is not supported."

The configuration guide mentions it here:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/route-eigrp.html#ID-2179-0000001b

View solution in original post

Bogdan Nita · ‎12-12-2017

It gather form your description that EIGRP neighborship between the contexts is not forming.

Following commands would be useful to further troubleshoot:

show eigrp neighbors
debug eigrp neighbors

You could also capture the EIGRP packets:

capture CAP match eigrp

Rolando Valenzuela · ‎12-12-2017

You are correct Bogdan,

The problem is between the contexts, in fact I tried all those commands before starting this thread, and I dont get anything on the debug.

The capture shows traffic going to the multicast address 224.0.0.10, but the source is never the other context :(

Francesco Molino · ‎12-12-2017

Hi,

Don't have any physical boxes right now to do some tests only vm...

Have you tried using the neighbor command to force unicast messages instead of multicast?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Bogdan Nita · ‎12-13-2017

It seems that the eigrp hello messages from one context are not reaching the other.

Are you able to see the messages going out ?

According to your config I would expect to see on the first context eigrp hello messages sent form 10.10.101.36 to 224.0.0.10 and on the second context from 10.10.101.38 to 224.0.0.10.

Rolando Valenzuela · ‎12-13-2017

@Francesco Molino I haven't fully tested it. because when I tried that all the dynamic neighbors when down so I decided to play with that during non-businnes hours and I havent schedule the window.

@Bogdan Nita I do see the traffic going out form the context itself, I do not see the traffic of the other context tho.

kcinf-fw5585x/brazil# show capture CAP

5469 packets captured

   1: 09:54:06.475622       802.1Q vlan#101 P0 10.10.101.19 > 224.0.0.10: ip-proto-88, length 40
   2: 09:54:06.527804       802.1Q vlan#101 P0 10.10.101.38 > 224.0.0.10: ip-proto-88, length 40
   3: 09:54:06.648510       802.1Q vlan#101 P0 10.10.101.4 > 224.0.0.10: ip-proto-88, length 40
   4: 09:54:06.811206       802.1Q vlan#101 P0 10.10.101.17 > 224.0.0.10: ip-proto-88, length 40
   5: 09:54:07.253206       802.1Q vlan#101 P0 10.10.101.5 > 224.0.0.10: ip-proto-88, length 40
   6: 09:54:07.711221       802.1Q vlan#101 P0 10.10.101.30 > 224.0.0.10: ip-proto-88, length 40
   7: 09:54:09.157874       802.1Q vlan#101 P0 10.10.101.15 > 224.0.0.10: ip-proto-88, length 40
   8: 09:54:10.186239       802.1Q vlan#101 P0 10.10.101.8 > 224.0.0.10: ip-proto-88, length 40
   9: 09:54:11.093424       802.1Q vlan#101 P0 10.10.101.19 > 224.0.0.10: ip-proto-88, length 40
10: 09:54:11.153342       802.1Q vlan#101 P0 10.10.101.4 > 224.0.0.10: ip-proto-88, length 40
11: 09:54:11.427986       802.1Q vlan#101 P0 10.10.101.38 > 224.0.0.10: ip-proto-88, length 40
12: 09:54:11.439384       802.1Q vlan#101 P0 10.10.101.17 > 224.0.0.10: ip-proto-88, length 40

Bogdan Nita · ‎12-15-2017

Looks like you can't form adjacencies between contexts:

EIGRP instances cannot form adjacencies with each other across shared interfaces because inter-context exchange of multicast traffic is not supported.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/route_eigrp.html

Specifying the neighbors , as @Francesco Molino suggested will establish EIGRP neighbors using unicast and therefore should work.

I presume you are using Port-channel13.101 to connect to the routers as well, in which case you will need to specify all the neighbors.

Marvin Rhoads · ‎12-15-2017

Sorry, but "EIGRP instances cannot form adjacencies with each other across shared interfaces because inter-context exchange of multicast traffic is not supported."

The configuration guide mentions it here:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/route-eigrp.html#ID-2179-0000001b

Rolando Valenzuela · ‎12-19-2017

Very unfortunate :(

Thanks for the information Marvin!!

Regards.

Rolando A. Valenzuela

Bogdan Nita · ‎12-19-2017

Did you try to use neighbor command ?

I think it should work, but I do not have a physical box to play with.

Rolando Valenzuela · ‎12-20-2017

They forced a freeze at work and I haven't been able to test, we are going to retire an old 5585 in a couple of days and lab it with it, but it will take time, what I'm doing is advertising a summary route from the router that is in the middle and that way both context can talk.

Rolando A. Valenzuela