Solved: BGP on ASA can't advertise it's own connected /32

james.brunner · ‎09-20-2022

Hi all,

First off, yes this is about BGP on an ASA so it kinda fits between the routing community and firewall community but, as the key issue is BGP, I thought routing was a better choice

I have a very simple scenario - I have an ASA [9.16(3)] running BGP on the inside interface which is connected a single BGP neighbor [IOS-XE 17.3.5]. I want to be able to advertise the ASA's local inside IP address as a /32 into BGP to that neighbor over the inside interface.

So my inside interface is set as:

fw01# sh run int ten0/0
interface TenGigabitEthernet0/0
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0

I have a prefix list configured to permit the /32 of the interface as well as the /24 subnet for the interface (this is only for testing - in reality I only want the /32 from this ASA).

fw01# sh run prefix-list
prefix-list ASA_to_NHRS seq 10 permit 10.10.10.1/32
prefix-list ASA_to_NHRS seq 20 permit 10.10.10.0/24

My BGP is set with a single neighbor in the same subnet as the inside interface and uses the prefix list above to ensure only the /32 (or /24) could be advertised out. At the same time I've configured both the /32 and /24 as network statements.

fw01# sh run router
router bgp 64000
bgp log-neighbor-changes
bgp router-id 10.10.10.1

address-family ipv4 unicast
neighbor 10.10.10.200 remote-as 64001
neighbor 10.10.10.200 timers 10 30 30
neighbor 10.10.10.200 activate
neighbor 10.10.10.200 prefix-list ASA_to_NHRS out

network 10.10.10.1 mask 255.255.255.255
network 10.10.10.0 mask 255.255.255.0

no auto-summary
no synchronization
exit-address-family

If I check in the RIB, I can see the route for the /32 connected address.

fw01# sh route 10.10.10.1
Routing entry for 10.10.10.1 255.255.255.255
Known via "connected", distance 0, metric 0 (connected)
Routing Descriptor Blocks:
* directly connected, via inside
Route metric is 0, traffic share count is 1

And the same for the subnet that the inside interface is part of.

fw01# sh route 10.10.10.0
Routing entry for 10.10.10.0 255.255.255.0
Known via "connected", distance 0, metric 0 (connected, via interface)
Advertised by bgp 64011
Routing Descriptor Blocks:
* directly connected, via inside
Route metric is 0, traffic share count is 1

But already I can see the /24 is being Advertised by BGP 64001 but the /32 isn't. Checking the BGP tables:

fw01# sh bgp
BGP table version is 6, local router ID is 10.248.80.8
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
<snip>
*> 10.10.10.0/24 0.0.0.0 0 32768 i
<snip>

And checking what the ASA is advertising confirms that the neighbor is only receiving the subnet address and not the specific /32 address:

fw01# sh bgp neigh 10.10.10.200 adv
BGP table version is 6, local router ID is 10.248.80.8
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
<snip>
*> 10.10.10.0/24 0.0.0.0 0 32768 i
<snip>

What have I missed? I thought that if I had a route in the RIB then I was able to advertise it by a simple network statement...

Any help gladly received!

JB.

MHM Cisco World · ‎09-20-2022

Yes route but not direct connect one,
image you have multi-access network with 10 L3 device connect each one have /32 route then are BGP advertise all 10 /32 prefix? no it will advertise only one the multi0access network.
so this is normal you see only /24

View solution in original post

MHM Cisco World · ‎09-20-2022

Yes route but not direct connect one,
image you have multi-access network with 10 L3 device connect each one have /32 route then are BGP advertise all 10 /32 prefix? no it will advertise only one the multi0access network.
so this is normal you see only /24

james.brunner · ‎09-20-2022

I think I need more coffee - it's obvious from your reply. Thanks!

ilirnako1 · ‎01-10-2023

I have the same issue .I want to advertise one /32 prefix that via network statement ,but not advertised .This is normal as the previous said .

The network statement in bgp proces, does not work ! the prefix does not enter in bgp table

Regards

ilir

paul driver · ‎01-10-2023

Hello
No need for the host network statement of the loopback in this case, The rtr and fw have direct connected interfaces within the same advertised subnet as the loopback.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ilirnako1 · ‎01-10-2023

Hello

It is not the loopback interface to be advertised .I want to advertise something from this firewall .One /32 ip that is in one connected subnet .

router bgp 64000
bgp log-neighbor-changes
bgp router-id 10.10.10.1

address-family ipv4 unicast
network 10.10.10.10 mask 255.255.255.255
no auto-summary
no synchronization
exit-address-family

for example if the connected prefix is 10.10.10.0/24 I want to advertise only one IP from this prefix for example 10.10.10.10

That is the logic .

How you can advertise this /32 prefix ?

In normal routers with network statement ,can be advertised .

Regards

Ilir

Harold Ritter · ‎01-10-2023

Hi @ilirnako1 ,

For the route to be originated in BGP, you need a route in the RIB matching the network statement. In your case, the network statement is for 10.10.10.10/32. If 10.10.10.10/32 is not present in the RIB, BGP will not originate this route.

Try adding a static route:

route <interface name where 10.10.10.0/24 is configured> 10.10.10.10 255.255.255.255 10.10.10.10

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

ilirnako1 · ‎01-10-2023

Hi Harold

This is good suggestion. I had also tested that , the prefix is advertised ,but no more connectivity with the host .

the problem is that the IP became the nect-hop and disconnect. The best static route option is if added just only via interface ,without the next-hop!

Now I am sure that the advertisment is not possible if the prefix is not in RIB

Regards

Ilir

Harold Ritter · ‎01-10-2023

Hi @ilirnako1 ,

> the problem is that the IP became the nect-hop and disconnect.

I am not sure what you mean by that. I tested it with ASAv 9.16(2) and it works like a charm.

Capture d’écran, le 2023-01-10 à 14.57.50.png

What version do you use?

> The best static route option is if added just only via interface ,without the next-hop!

I am not sure the ASA will allow you to do that.

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

ilirnako1 · ‎01-10-2023

Hi Harold

Good news , It worked also here like a charm

That is the solution to advertise the /32 .

Thank you

Ilir

Harold Ritter · ‎01-10-2023

You are very welcome. I am glad it fixed the issue @ilirnako1

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

ilirnako1 · ‎01-10-2023

Hi Harold ,Thank you .

The expert seems from the exact answers!