Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
59119
Views
0
Helpful
6
Replies

Gateway of last resort is not set

Go to solution
tolinrome tolinrome
Level 1
Level 1

‎06-18-2019 02:36 PM

I have a tricky problem, hopefully someone can shed some light on it.

We routed our internal network traffic from one of our main layer 3 switches, to a new firewall, instead of the one it was using for a long time. All I did on the L3 switch was remove the old static route to the old firewall and add the new static route pointing to the new firewall as the default route. For example: (IP Addresses are examples)

no ip route 0.0.0.0 0.0.0.0 10.10.10.1

ip route 0.0.0.0 0.0.0.0 10.10.10.2

Everything is working fine and everyone can get to the internet, no problems at all.

Here's the tricky part:

Later on, on the old firewall (ASA), I shut down the outside interface, there is nothing going through this firewall anymore since everything is being routed to the new firewall. As soon as I shut the interface down, I was getting reports of users in different locations not being able to reach the internet. I noticed that on one of our layer 3 switches when I did a "sh ip route" I saw the following:

"Gateway of last resort is not set"

"Then a list of all our internal network listed below here using O and O E2.."

So, internal routing was fine but anything outside of that, (internet) had no gateway.

As soon as I did a "no shut" on the ASA's outside interface and looked on one of the layer 3 switches the default gateway came back:

Gateway of last resort is 10.5.5.5 to network 0.0.0.0

O*E2 0.0.0.0/0 [110/1] via 10.5.5.5, 00:00:21, Vlan5

"Then a list of all our internal network listed below here using O and O E2.."

 

On the ASA's outside interface is:

interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 1.2.3.4 255.255.255.0
ospf cost 10
ospf network point-to-point non-broadcast

Also, on the ASA:

#sh run router

router ospf 1
router-id 10.10.50.1
network 10.0.0.0 255.0.0.0 area 0
area 0
log-adj-changes
default-information originate
!
router rip
network 10.0.0.0
passive-interface dmz
passive-interface outside

 

How is turning off the ASA's outside interface removing the default gateway from the layer 3 switches?

Thanks.

 

 

2 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to tolinrome tolinrome

‎06-19-2019 03:39 AM

Hello tolinrome,

the old ASA OSPF configuration has the following command:

 

router ospf 1

>>default-information originate

 

In your previous setup the old ASA was in charge to generate an OSPF default route that is injected in the OSPF domain and installed in all downstream = more internal switches.

When you shut the outside interface on the old ASA the local default route is removed and the old ASA will remove the LSA type 5 0.0.0.0/0.

So you have two options:

or you make the new firewall to take part in OSPF and to generate the default route like the old ASA did up to now

or you apply the default-information originate command in router ospf mode on the L3 switch directly connected to the new firewall.

 

Hope to help

Giuseppe

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
omz
VIP Alumni
VIP Alumni

‎06-18-2019 02:47 PM

Hi 

Did you issue "sh ip route" after changing the static route?

Did it show the new gateway of last resort?

 

0 Helpful

Go to solution
tolinrome tolinrome
Level 1
Level 1
In response to omz

‎06-18-2019 02:54 PM

Hello omz,
Yes I did that and it showed the new gateway of last resort, I have that posted on my question. Thank you
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎06-18-2019 03:00 PM

 

It's not clear how the L3 switches are related to each other.

 

So I am assuming the one you added the static route to had the default gateway set because static would take precedence over OSPF but some other L3 switches seem to be relying on OSPF for a default route. 

 

Without seeing your network topology this is just a guess but I suspect what is happening is that on the L3 switch you added the static route to you did not redistribute this static into OSPF but it is still participating in OSPF and passing the LSAs to downstream L3 switches which do rely on the OSPF default route being originated on your old ASA firewall. 

 

So traffic still ended up at the main L3 switch you added the static to because the downstream switches received a default via OSPF from the main L3 switch even though it was using a static you added.

 

Once you shut down the outside interface on the ASA it no longer received the default route from it's upstream neighbor so no longer generated the default route which was no longer passed to downstream switches so only the L3 switch you added the static to knew where to send traffic. 

 

Of course there is a lot of guesswork in the above and it is late so I could be talking complete rubbish :) 

 

Jon

0 Helpful

Go to solution
Hector Gustavo Serrano Gutierrez
Cisco Employee
Cisco Employee

‎06-18-2019 03:14 PM 

Gateway of last resort is 10.5.5.5 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 10.5.5.5, 00:00:21, Vlan5

Who is 10.5.5.5?

0 Helpful

Go to solution
tolinrome tolinrome
Level 1
Level 1
In response to Hector Gustavo Serrano Gutierrez

‎06-18-2019 04:26 PM

That is the IP address of the next L3 switch, which is directly connected to a firewall to outside.

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to tolinrome tolinrome

‎06-19-2019 03:39 AM

Hello tolinrome,

the old ASA OSPF configuration has the following command:

 

router ospf 1

>>default-information originate

 

In your previous setup the old ASA was in charge to generate an OSPF default route that is injected in the OSPF domain and installed in all downstream = more internal switches.

When you shut the outside interface on the old ASA the local default route is removed and the old ASA will remove the LSA type 5 0.0.0.0/0.

So you have two options:

or you make the new firewall to take part in OSPF and to generate the default route like the old ASA did up to now

or you apply the default-information originate command in router ospf mode on the L3 switch directly connected to the new firewall.

 

Hope to help

Giuseppe

 

0 Helpful
Customers Also Viewed These Support Documents
Top