Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5787
Views
0
Helpful
7
Replies

Nexus 7K with ASA5500 A/P and OSPF

Go to solution
geniesis
Level 1
Level 1

‎10-03-2012 03:49 PM - edited ‎03-01-2019 07:11 AM

I have two Nexus 7010's in a VPC domain (single VDC) with two 10gb Peerlinks between the two.

For our Internet Edge, I am using 2xASA5520's in a Active/Passive arrangement.

The ASA's are connected directly to the N7K, one each.

The current configuration has a VPC vlan trunked to the ASA (There are VPC hosts in the same vlan as the ASA inside interface, namely the proxy server). Lets make it VLAN 100.

This means the N7K's see the ASA ports as Orphan ports due to the Active/Passive arrangement.

The ASA and both Nexus units are configured to participate in OSPF.

The issue I have is that the adjacency between the ASA and the secondary Nexus unit flaps between Down and Exstart. Debugs show that both units do transition to TWOWAY but get no further.

Am I hitting the VPC rule that doesn't allow a packet to leave a VPC port if it came from the peer link? Because I thought Orphan ports are exempted from this rule.

Interestingly we have another setup with ASA5520's, N5K's w/ L3 card and that works perfectly fine.

What could be the problem? Also, does Cisco have a CVD for ASA w/Nexus?

Device Versions:

-N7K's are on 6.0(4)

-ASA's are on 8.4(4)1

Addresses:

N7K-1: Vlan100 is 172.16.16.1 (HSRP), 172.16.16.2

N7K-2: Vlan100 is 172.16.16.1 (HSRP), 172.16.16.3

ASA: Vlan100 is 172.16.16.4

Outputs:

ASAFW01/pri/act# sho ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface

172.16.16.3       1   EXSTART/DROTHER    0:00:18     172.16.16.3     Inside

172.16.16.2       1   FULL/BDR        0:00:33     172.16.16.2     Inside

N7K-1# sho ip ospf nei

OSPF Process ID 100 VRF default

Total number of neighbors: 2

Neighbor ID     Pri State            Up Time  Address         Interface

172.16.16.3       1 FULL/DROTHER     1d21h    172.16.16.3     Vlan100

172.16.16.4       1 FULL/DR          1d21h    172.16.16.4     Vlan100

N7K-2# sho ip ospf nei

OSPF Process ID 100 VRF default

Total number of neighbors: 2

Neighbor ID     Pri State            Up Time  Address         Interface

172.16.16.2       1 FULL/BDR         1d21h    172.16.16.2     Vlan100

172.16.16.4       1 EXSTART/DR       0.058404 172.16.16.4     Vlan100

Debug Outputs:

N7K-2:

2012 Oct  4 08:42:05.770098 ospf: 100 [29268] (default) Nbr 172.16.16.4: EXSTART --> EXSTART, event HELLORCVD

2012 Oct  4 08:42:05.770134 ospf: 100 [29268] (default) Nbr 172.16.16.4: EXSTART --> EXSTART, event TWOWAYRCVD

2012 Oct  4 08:42:06.218770 ospf: 100 [29268] (default) Sending DBD to 172.16.16.4 on Vlan100

2012 Oct  4 08:42:06.218823 ospf: 100 [29268] (default) Sent DBD with 0 entries to 172.16.16.4 on Vlan100

2012 Oct  4 08:42:06.218845 ospf: 100 [29268] (default)   mtu 1500, opts: 0x42, ddbits: 0x7, seq: 0x17945901

(Repeats over and over again, till timeout, then ends up in re-election)

ASA:

OSPF: Up DBD Retransmit cnt to 6 for 172.16.16.3 on Inside

OSPF: Send DBD to 172.16.16.3 on Inside seq 0xd3a opt 0x2 flag 0x7 len 32

OSPF: Send with youngest Key 1

OSPF: Send with youngest Key 1

OSPF: Rcv DBD from 172.16.16.3 on Inside seq 0x4b59f7a3 opt 0x42 flag 0x7 len 32  mtu 1500 state EXSTART

OSPF: First DBD and we are not SLAVE

OSPF: Retransmitting DBD to 172.16.16.3 on Inside

OSPF: Up DBD Retransmit cnt to 7 for 172.16.16.3 on Inside

OSPF: Send DBD to 172.16.16.3 on Inside seq 0xd3a opt 0x2 flag 0x7 len 32

OSPF: Send with youngest Key 1

OSPF: Send with youngest Key 1

OSPF: Send with youngest Key 1

OSPF: Rcv DBD from 172.16.16.3 on Inside seq 0x4b59f7a3 opt 0x42 flag 0x7 len 32  mtu 1500 state EXSTART

OSPF: First DBD and we are not SLAVE

OSPF: Retransmitting DBD to 172.16.16.3 on Inside

OSPF: Up DBD Retransmit cnt to 8 for 172.16.16.3 on Inside

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jerry Ye
Cisco Employee
Cisco Employee
In response to Lance Wendel

‎11-15-2012 08:22 AM

Peering with a vPC VLAN via any dynamic routing protocol is not supported.

Please take a look at the following link page

https://supportforums.cisco.com/thread/2121708

Regards,

jerry

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jerry Ye
Cisco Employee
Cisco Employee

‎10-03-2012 10:12 PM

To answer your question why this setup is not working the following would happen:

Link state routing protocols typically use link-local multicast and/or TTL = 1. This means that it cannot be sent across another hop when it arrives at the 'wrong' device. (There is no easy way of determining the 'wrong' or 'right' device either, given the destination of the frame is a multicast address).

You need to investigate the N5K with L3 to determine who is the DR and BDR. If you post the output, we would have more clue why this is working on the N5K set up. However, from your description, I don't believe this is a supported design. I will typically change the design so that the ASA VLANs is not going over the peer-link, it will use a regular STP trunk if it requires L3 routing protocol on a SVI.

Regards,

jerry

0 Helpful

Go to solution
geniesis
Level 1
Level 1
In response to Jerry Ye

‎10-03-2012 10:50 PM

I don't believe it is a multicast issue as the ASA and N7K's are pariticipating in the same vlan. Going across the peerlink would not decrement the TTL since it isn't crossing a L3 border.

As for the N5K, it is configured exactly the same as the N7K with the same OSPF priorities. However the N5k manages to establish FULL/DROTHER on the second Nexus.

I have drawn a diagram of how it is connected:

I hope this explains most of what I am trying to do.

0 Helpful

Go to solution
Jerry Ye
Cisco Employee
Cisco Employee
In response to geniesis

‎10-03-2012 10:54 PM

Can you post the show ip ospf neighbor on your N5K and ASA environment?

Regards,

jerry

0 Helpful

Go to solution
geniesis
Level 1
Level 1
In response to Jerry Ye

‎10-03-2012 11:04 PM

Form the N5K setup:

N5K-1# sho ip ospf nei

OSPF Process ID 200 VRF default

Total number of neighbors: 2

Neighbor ID     Pri State            Up Time  Address         Interface

172.16.17.2       1 FULL/DROTHER     26w0d    172.16.17.3     Vlan200

172.16.17.4       1 FULL/DR          14w0d    172.16.17.4     Vlan200

N5K-2# sho ip ospf nei

OSPF Process ID 200 VRF default

Total number of neighbors: 2

Neighbor ID     Pri State            Up Time  Address         Interface

172.16.17.1       1 FULL/BDR         26w0d    172.16.17.2     Vlan200

172.16.17.4       1 FULL/DR          14w0d    172.16.17.4     Vlan200

The ASA:

ASAFW/pri/act# sho ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface

172.16.17.2       1   FULL/DROTHER    0:00:38     172.16.17.3     Inside

172.16.17.1       1   FULL/BDR        0:00:34     172.16.17.2     Inside

0 Helpful

Go to solution
Lance Wendel
Level 1
Level 1
In response to Jerry Ye

‎11-15-2012 08:09 AM

Hi all,

my customer faces the same kind of issue between a ASA and Nexus.

@geniesis were you able to figure out this issue.

I will speak to our internal engineers and if I find anything I will let you all know.

regards,

Lancellot

0 Helpful

Go to solution
Jerry Ye
Cisco Employee
Cisco Employee
In response to Lance Wendel

‎11-15-2012 08:22 AM

Peering with a vPC VLAN via any dynamic routing protocol is not supported.

Please take a look at the following link page

https://supportforums.cisco.com/thread/2121708

Regards,

jerry

0 Helpful

Go to solution
geniesis
Level 1
Level 1
In response to Lance Wendel

‎04-14-2014 08:33 PM

A bit late on the update, but we did manage to put the VLAN connecting the ASA and the Nexus onto a non-vpc vlan. Once this was done, the OSPF peering worked

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card