I have two Nexus 7010's in a VPC domain (single VDC) with two 10gb Peerlinks between the two.

For our Internet Edge, I am using 2xASA5520's in a Active/Passive arrangement.

The ASA's are connected directly to the N7K, one each.

The current configuration has a VPC vlan trunked to the ASA (There are VPC hosts in the same vlan as the ASA inside interface, namely the proxy server). Lets make it VLAN 100.

This means the N7K's see the ASA ports as Orphan ports due to the Active/Passive arrangement.

The ASA and both Nexus units are configured to participate in OSPF.

The issue I have is that the adjacency between the ASA and the secondary Nexus unit flaps between Down and Exstart. Debugs show that both units do transition to TWOWAY but get no further.

Am I hitting the VPC rule that doesn't allow a packet to leave a VPC port if it came from the peer link? Because I thought Orphan ports are exempted from this rule.

Interestingly we have another setup with ASA5520's, N5K's w/ L3 card and that works perfectly fine.

What could be the problem? Also, does Cisco have a CVD for ASA w/Nexus?

Device Versions:

-N7K's are on 6.0(4)

-ASA's are on 8.4(4)1

Addresses:

N7K-1: Vlan100 is 172.16.16.1 (HSRP), 172.16.16.2

N7K-2: Vlan100 is 172.16.16.1 (HSRP), 172.16.16.3

ASA: Vlan100 is 172.16.16.4

Outputs:

ASAFW01/pri/act# sho ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface

172.16.16.3       1   EXSTART/DROTHER    0:00:18     172.16.16.3     Inside

172.16.16.2       1   FULL/BDR        0:00:33     172.16.16.2     Inside

N7K-1# sho ip ospf nei

OSPF Process ID 100 VRF default

Total number of neighbors: 2

Neighbor ID     Pri State            Up Time  Address         Interface

172.16.16.3       1 FULL/DROTHER     1d21h    172.16.16.3     Vlan100

172.16.16.4       1 FULL/DR          1d21h    172.16.16.4     Vlan100

N7K-2# sho ip ospf nei

OSPF Process ID 100 VRF default

Total number of neighbors: 2

Neighbor ID     Pri State            Up Time  Address         Interface

172.16.16.2       1 FULL/BDR         1d21h    172.16.16.2     Vlan100

172.16.16.4       1 EXSTART/DR       0.058404 172.16.16.4     Vlan100

Debug Outputs:

N7K-2:

2012 Oct  4 08:42:05.770098 ospf: 100 [29268] (default) Nbr 172.16.16.4: EXSTART --> EXSTART, event HELLORCVD

2012 Oct  4 08:42:05.770134 ospf: 100 [29268] (default) Nbr 172.16.16.4: EXSTART --> EXSTART, event TWOWAYRCVD

2012 Oct  4 08:42:06.218770 ospf: 100 [29268] (default) Sending DBD to 172.16.16.4 on Vlan100

2012 Oct  4 08:42:06.218823 ospf: 100 [29268] (default) Sent DBD with 0 entries to 172.16.16.4 on Vlan100

2012 Oct  4 08:42:06.218845 ospf: 100 [29268] (default)   mtu 1500, opts: 0x42, ddbits: 0x7, seq: 0x17945901

(Repeats over and over again, till timeout, then ends up in re-election)

ASA:

OSPF: Up DBD Retransmit cnt to 6 for 172.16.16.3 on Inside

OSPF: Send DBD to 172.16.16.3 on Inside seq 0xd3a opt 0x2 flag 0x7 len 32

OSPF: Send with youngest Key 1

OSPF: Send with youngest Key 1

OSPF: Rcv DBD from 172.16.16.3 on Inside seq 0x4b59f7a3 opt 0x42 flag 0x7 len 32  mtu 1500 state EXSTART

OSPF: First DBD and we are not SLAVE

OSPF: Retransmitting DBD to 172.16.16.3 on Inside

OSPF: Up DBD Retransmit cnt to 7 for 172.16.16.3 on Inside

OSPF: Send DBD to 172.16.16.3 on Inside seq 0xd3a opt 0x2 flag 0x7 len 32

OSPF: Send with youngest Key 1

OSPF: Send with youngest Key 1

OSPF: Send with youngest Key 1

OSPF: Rcv DBD from 172.16.16.3 on Inside seq 0x4b59f7a3 opt 0x42 flag 0x7 len 32  mtu 1500 state EXSTART

OSPF: First DBD and we are not SLAVE

OSPF: Retransmitting DBD to 172.16.16.3 on Inside

OSPF: Up DBD Retransmit cnt to 8 for 172.16.16.3 on Inside