Solved: ASA not advertising routes

AFlack20 · ‎08-12-2020

I'm having an issue where my ASA isn't advertising routes in eigrp. The interface is up (Gi0/3), and the network is being advertised (network 172.16.10.0 255.255.255.0) in the correct autonomous system (AS 1).

Its almost like the interface isn't allowed to advertise routes, but its not a passive interface.

Does anyone know why the ASA wouldn't advertise a route from this interface?

ASA# show run interface
!
interface GigabitEthernet0/0
description *** Connection to ISP ***
nameif OUTSIDE
security-level 0
ip address X.X.X.X 255.255.255.0
!
interface GigabitEthernet0/1
description *** Connection to Expressway Outside ***
nameif DMZ
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/2
description *** Connection to 3850 ***
nameif INSIDE
security-level 100
ip address 192.168.244.9 255.255.255.252
!
interface GigabitEthernet0/3
description *** Connection to Expressway Inside ***
nameif INSIDE_VCS
security-level 100
ip address 172.168.10.1 255.255.255.0
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
no nameif
no security-level
no ip address

ASA# show int ip bri
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 72.234.212.71 YES CONFIG up up
GigabitEthernet0/1 172.16.1.1 YES CONFIG up up
GigabitEthernet0/2 192.168.244.9 YES CONFIG up up
GigabitEthernet0/3 172.168.10.1 YES CONFIG up up
GigabitEthernet0/4 unassigned YES unset administratively down down
GigabitEthernet0/5 unassigned YES unset administratively down down
Internal-Control0/0 127.0.1.1 YES unset up up
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Internal-Data0/2 unassigned YES unset up up
Internal-Data0/3 169.254.1.1 YES unset up up
Management0/0 unassigned YES unset up up

ASA# show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 72.234.212.1 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 72.234.212.1, OUTSIDE
D 10.10.10.0 255.255.255.252
[90/3072] via 192.168.244.10, 00:13:51, INSIDE
D 10.210.0.0 255.255.255.0
[90/3072] via 192.168.244.10, 00:13:51, INSIDE
D 10.210.1.0 255.255.255.0
[90/3072] via 192.168.244.10, 00:13:51, INSIDE
D 10.210.2.0 255.255.255.0
[90/3072] via 192.168.244.10, 00:13:51, INSIDE
D 10.250.37.0 255.255.255.0
[90/3072] via 192.168.244.10, 00:13:51, INSIDE
C 72.234.212.0 255.255.255.0 is directly connected, OUTSIDE
L 72.234.212.71 255.255.255.255 is directly connected, OUTSIDE
C 172.16.1.0 255.255.255.0 is directly connected, DMZ
L 172.16.1.1 255.255.255.255 is directly connected, DMZ
C 172.168.10.0 255.255.255.0 is directly connected, INSIDE_VCS
L 172.168.10.1 255.255.255.255 is directly connected, INSIDE_VCS
D 192.168.244.4 255.255.255.252
[90/3072] via 192.168.244.10, 00:13:53, INSIDE
C 192.168.244.8 255.255.255.252 is directly connected, INSIDE
L 192.168.244.9 255.255.255.255 is directly connected, INSIDE
D 192.168.246.0 255.255.255.0
[90/3072] via 192.168.244.10, 00:13:53, INSIDE
D 192.168.248.0 255.255.255.0
[90/3072] via 192.168.244.10, 00:13:53, INSIDE
D 192.168.249.0 255.255.255.0
[90/3072] via 192.168.244.10, 00:13:53, INSIDE
D 192.168.250.0 255.255.255.0
[90/3072] via 192.168.244.10, 00:13:53, INSIDE
D 192.168.251.0 255.255.255.0
[90/3072] via 192.168.244.10, 00:13:53, INSIDE
D 192.168.252.0 255.255.255.0
[90/3072] via 192.168.244.10, 00:13:53, INSIDE
D 192.168.253.0 255.255.255.0
[90/3072] via 192.168.244.10, 00:13:53, INSIDE
D 192.168.254.0 255.255.255.0
[90/3072] via 192.168.244.10, 00:13:53, INSIDE
D 192.168.255.0 255.255.255.0
[90/3072] via 192.168.244.10, 00:13:53, INSIDE
D 205.109.54.0 255.255.254.0
[90/3072] via 192.168.244.10, 00:13:58, INSIDE
D 205.109.247.0 255.255.255.0
[90/3072] via 192.168.244.10, 00:13:58, INSIDE

ASA# show eigrp topology
EIGRP-IPv4 Topology Table for AS(1)/ID(192.168.244.9)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status

P 205.109.54.0 255.255.254.0, 1 successors, FD is 3072
via 192.168.244.10 (3072/2816), INSIDE
P 192.168.244.4 255.255.255.252, 1 successors, FD is 3072
via 192.168.244.10 (3072/2816), INSIDE
P 192.168.249.0 255.255.255.0, 1 successors, FD is 3072
via 192.168.244.10 (3072/2816), INSIDE
P 192.168.253.0 255.255.255.0, 1 successors, FD is 3072
via 192.168.244.10 (3072/2816), INSIDE
P 192.168.251.0 255.255.255.0, 1 successors, FD is 3072
via 192.168.244.10 (3072/2816), INSIDE
P 192.168.254.0 255.255.255.0, 1 successors, FD is 3072
via 192.168.244.10 (3072/2816), INSIDE
P 192.168.252.0 255.255.255.0, 1 successors, FD is 3072
via 192.168.244.10 (3072/2816), INSIDE
P 205.109.247.0 255.255.255.0, 1 successors, FD is 3072
via 192.168.244.10 (3072/2816), INSIDE
P 10.10.10.0 255.255.255.252, 1 successors, FD is 3072
via 192.168.244.10 (3072/2816), INSIDE
P 192.168.246.0 255.255.255.0, 1 successors, FD is 3072
via 192.168.244.10 (3072/2816), INSIDE
P 10.210.0.0 255.255.255.0, 1 successors, FD is 3072
via 192.168.244.10 (3072/2816), INSIDE
P 192.168.250.0 255.255.255.0, 1 successors, FD is 3072
via 192.168.244.10 (3072/2816), INSIDE
P 192.168.244.8 255.255.255.252, 1 successors, FD is 2816
via Connected, INSIDE
P 192.168.248.0 255.255.255.0, 1 successors, FD is 3072
via 192.168.244.10 (3072/2816), INSIDE
P 192.168.255.0 255.255.255.0, 1 successors, FD is 3072
via 192.168.244.10 (3072/2816), INSIDE
P 10.210.2.0 255.255.255.0, 1 successors, FD is 3072
via 192.168.244.10 (3072/2816), INSIDE
P 10.210.1.0 255.255.255.0, 1 successors, FD is 3072
via 192.168.244.10 (3072/2816), INSIDE
P 10.250.37.0 255.255.255.0, 1 successors, FD is 3072
via 192.168.244.10 (3072/2816), INSIDE
P 172.16.1.0 255.255.255.0, 1 successors, FD is 2816
via Connected, DMZ

ASA# show eigrp interfaces
EIGRP-IPv4 Interfaces for AS(1)
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
DMZ 0 0 / 0 0 0 / 1 0 0
INSIDE 1 0 / 0 1018 0 / 1 5093 0

Georg Pauwen · ‎08-13-2020

Hello,

--> and the network is being advertised (network 172.16.10.0 255.255.255.0) in the correct autonomous system (AS 1).

Is this a typo ? There is no interface on your ASA with an IP address in the 172.16.10.0/24 range...I have a feeling that you mistakenly have configured GigabitEthernet0/3 with IP address 172.168.10.1 255.255.255.0 instead of 172.16.10.1 255.255.255.0 ?

interface GigabitEthernet0/1
description *** Connection to Expressway Outside ***
nameif DMZ
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/2
description *** Connection to 3850 ***
nameif INSIDE
security-level 100
ip address 192.168.244.9 255.255.255.252
!
interface GigabitEthernet0/3
description *** Connection to Expressway Inside ***
nameif INSIDE_VCS
security-level 100
ip address 172.168.10.1 255.255.255.0

View solution in original post

Georg Pauwen · ‎08-13-2020

Hello,

--> and the network is being advertised (network 172.16.10.0 255.255.255.0) in the correct autonomous system (AS 1).

Is this a typo ? There is no interface on your ASA with an IP address in the 172.16.10.0/24 range...I have a feeling that you mistakenly have configured GigabitEthernet0/3 with IP address 172.168.10.1 255.255.255.0 instead of 172.16.10.1 255.255.255.0 ?

interface GigabitEthernet0/1
description *** Connection to Expressway Outside ***
nameif DMZ
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/2
description *** Connection to 3850 ***
nameif INSIDE
security-level 100
ip address 192.168.244.9 255.255.255.252
!
interface GigabitEthernet0/3
description *** Connection to Expressway Inside ***
nameif INSIDE_VCS
security-level 100
ip address 172.168.10.1 255.255.255.0

AFlack20 · ‎08-13-2020

Yep that was it. 🤦‍♂️

Sometime ya just need that second set of eyes to see the problem.

Thx!