BGP routes not working in ASR although its in routing table

pgyogeshkumar · ‎12-11-2015

Hi

I am facing one interesting issue with ASR9K device. Below is my topology. Two different ASRs connected through a ASA.

ASR9K------->ASA---------->ASR9K

The routing between first ASR9k and ASA is ebgp.

The routing between ASA and second ASR9k is also ebgp.

Initially the routes in ASR9k was neither advertised nor received to their peers. However after configuring route policy with "pass all", asr9k started advertising and receiving routes between their peers.

Now even the far end ASR9k routes are availabe in route table (not only in bgp table, its present route table as well) in both ASRs,

however if i ping from one asr to another asr its not reachable.

even for traceroute its not even reaching first hop. however the routes are available with correct next hop defined and even the next hop (which is ASA) is reachable from either of asr.

can you please suggest why bgp routes are not exiting the interface itself to reach next hop from ASR ?

acampbell · ‎12-11-2015

Hi,

Im not an expert on firewalls at all.
I just have an appreciation of what they do.

You say your bgp is paaing ok so ip/tcp port 179 is good

But ping and trace route use icmp

Is ICMP aalowed through.

see this link:-
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html

You could test with a different protocol try telnet or ssh betwen the routers

Regards
Alex

Regards, Alex. Please rate useful posts.

Masoud Pourshabanian · ‎12-11-2015

Hello,

If the routes exist in the ASR routing table, you only need to check ASA policy. ASR passes the traffic for sure. It is ASA blocking the traffic. Make sure you have added ICMP in Global policy. and also access-lists for ICMP.

policy-map global_policy
class inspection_default
inspect icmp

Please share your ASA configuration if your problem still exists.

Masoud

pgyogeshkumar · ‎12-12-2015

Hi Masoud,

I have configured the configurations given by you and even configured few access lists for icmp with the same access group number as per the link shared by acampbell (below comment).

Nothing was working for me.

However I configured two security level 0 interface and looks like that was the problem and when I changed the security level to 100 for one interface, I can reach end to end now.

Please share some ASA related docs with minimum as it will be useful who has worked in routing and switching alone

Masoud Pourshabanian · ‎12-12-2015

Hello,

Some basic configurations,

http://www.firewall.cx/forums/10-firewall-filtering-idsips-a-security/32041-howto-basic-asa-5505-configuration.html
http://www.soundtraining.net/i-t-tutorials/cisco-tutorials/41-cisco-asa-security-appliance-eight-basic-commands

http://www.routerfreak.com/basic-configuration-tutorial-for-the-cisco-asa-5505-firewall/

Masoud

pgyogeshkumar · ‎01-19-2016

Hi Masoud

I am again facing same issue with different ASA now.

Traffic from Inside towards Outside interface is not working properly.

1. If I ping Lan device to Inside interface of ASA (Locally Connected) I am getting replies.

2. But if I ping LAN device to Outside interface of ASA then I no reply ..Even in debug icmp trace command I couldnt see the traffic is hitting firewall. ACLs have been implemented correctly and global policy as well allowed with inspect icmp.

3. If I ping Lan device to Outside network IP then as well no reply. But I could see the request hitting firewall using debug icmp trace command but not replies seen in ASA.

Not sure where the issue is blocked