- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-18-2019 02:36 PM
I have a tricky problem, hopefully someone can shed some light on it.
We routed our internal network traffic from one of our main layer 3 switches, to a new firewall, instead of the one it was using for a long time. All I did on the L3 switch was remove the old static route to the old firewall and add the new static route pointing to the new firewall as the default route. For example: (IP Addresses are examples)
no ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 0.0.0.0 0.0.0.0 10.10.10.2
Everything is working fine and everyone can get to the internet, no problems at all.
Here's the tricky part:
Later on, on the old firewall (ASA), I shut down the outside interface, there is nothing going through this firewall anymore since everything is being routed to the new firewall. As soon as I shut the interface down, I was getting reports of users in different locations not being able to reach the internet. I noticed that on one of our layer 3 switches when I did a "sh ip route" I saw the following:
"Gateway of last resort is not set"
"Then a list of all our internal network listed below here using O and O E2.."
So, internal routing was fine but anything outside of that, (internet) had no gateway.
As soon as I did a "no shut" on the ASA's outside interface and looked on one of the layer 3 switches the default gateway came back:
Gateway of last resort is 10.5.5.5 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 10.5.5.5, 00:00:21, Vlan5
"Then a list of all our internal network listed below here using O and O E2.."
On the ASA's outside interface is:
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 1.2.3.4 255.255.255.0
ospf cost 10
ospf network point-to-point non-broadcast
Also, on the ASA:
#sh run router
router ospf 1
router-id 10.10.50.1
network 10.0.0.0 255.0.0.0 area 0
area 0
log-adj-changes
default-information originate
!
router rip
network 10.0.0.0
passive-interface dmz
passive-interface outside
How is turning off the ASA's outside interface removing the default gateway from the layer 3 switches?
Thanks.
Solved! Go to Solution.
- Labels:
-
Other Routing
-
Routing Protocols
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2019 03:39 AM
Hello tolinrome,
the old ASA OSPF configuration has the following command:
router ospf 1
>>default-information originate
In your previous setup the old ASA was in charge to generate an OSPF default route that is injected in the OSPF domain and installed in all downstream = more internal switches.
When you shut the outside interface on the old ASA the local default route is removed and the old ASA will remove the LSA type 5 0.0.0.0/0.
So you have two options:
or you make the new firewall to take part in OSPF and to generate the default route like the old ASA did up to now
or you apply the default-information originate command in router ospf mode on the L3 switch directly connected to the new firewall.
Hope to help
Giuseppe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-18-2019 02:47 PM
Hi
Did you issue "sh ip route" after changing the static route?
Did it show the new gateway of last resort?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-18-2019 02:54 PM
Yes I did that and it showed the new gateway of last resort, I have that posted on my question. Thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-18-2019 03:00 PM
It's not clear how the L3 switches are related to each other.
So I am assuming the one you added the static route to had the default gateway set because static would take precedence over OSPF but some other L3 switches seem to be relying on OSPF for a default route.
Without seeing your network topology this is just a guess but I suspect what is happening is that on the L3 switch you added the static route to you did not redistribute this static into OSPF but it is still participating in OSPF and passing the LSAs to downstream L3 switches which do rely on the OSPF default route being originated on your old ASA firewall.
So traffic still ended up at the main L3 switch you added the static to because the downstream switches received a default via OSPF from the main L3 switch even though it was using a static you added.
Once you shut down the outside interface on the ASA it no longer received the default route from it's upstream neighbor so no longer generated the default route which was no longer passed to downstream switches so only the L3 switch you added the static to knew where to send traffic.
Of course there is a lot of guesswork in the above and it is late so I could be talking complete rubbish :)
Jon

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-18-2019 03:14 PM
Gateway of last resort is 10.5.5.5 to network 0.0.0.0 O*E2 0.0.0.0/0 [110/1] via 10.5.5.5, 00:00:21, Vlan5
Who is 10.5.5.5?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-18-2019 04:26 PM
That is the IP address of the next L3 switch, which is directly connected to a firewall to outside.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2019 03:39 AM
Hello tolinrome,
the old ASA OSPF configuration has the following command:
router ospf 1
>>default-information originate
In your previous setup the old ASA was in charge to generate an OSPF default route that is injected in the OSPF domain and installed in all downstream = more internal switches.
When you shut the outside interface on the old ASA the local default route is removed and the old ASA will remove the LSA type 5 0.0.0.0/0.
So you have two options:
or you make the new firewall to take part in OSPF and to generate the default route like the old ASA did up to now
or you apply the default-information originate command in router ospf mode on the L3 switch directly connected to the new firewall.
Hope to help
Giuseppe
