Solved: OSPF Connection between ASA 5525 & Nexus 9504s

sebbing · ‎07-21-2022

Hello all,

I am having a bit of an issue with trying to get an ASA 5525 to form a neighborship with a Nexus 9504. They can see and communicate with each other via layer2 VLAN connection.

Trying to figure out what I am doing wrong. Here is stippets of the interfaces from the Nexus and the ASA.

Nexus

show interface vlan 3

interface Vlan3
description FIREWALL-INSIDE-Default-Gateway
no shutdown
mtu 9000
no ip redirects
ip address 10.50.2.8/24
no ipv6 redirects
ip router ospf 1 area 0.0.0.100
hsrp version 2
hsrp 3
name FIREWALL-INSIDE
preempt
priority 90
ip 10.50.2.2

ASA

ASA-03# sh run router
router ospf 1
router-id 10.50.2.5
network 10.50.2.0 255.255.255.0 area 100
network 10.60.0.128 255.255.255.128 area 100
area 100
log-adj-changes
!

I guess the question I have is that when I try to put in area 0.0.0.100 on the ASA it transfers it to what you see here with only 100. Is that a big deal on that matter or is it still the same "area"?

I am not sure if it is a problem but the ASA is connected to a 2960 switch, which is then connected to a pair of 93180 layer 2 nexus switches. Those are then connected to the 9504s . Pings and traceroutes go both ways at this point, so I am not sure where the breakdown is happening. Can someone assist me with this?

Thanks!

MHM Cisco World · ‎07-25-2022

I inform you in my previous post that check this point,
anyway
I am so glad you get the issue,
Yes Passive making NSK not send Hello and never establish the OSPF.
no passive this interface and check the OSPF.

View solution in original post

MHM Cisco World · ‎07-21-2022

feature ospf

<- are you enable OSPF in Nexus ?

sebbing · ‎07-21-2022

Hi MHM,

We do have the feature enabled on the Nexus. We currently have it doing OSPF for many other networks, I just seem to be having an issue with getting this neighbor adjacency done.

9504-01# sh run | i feature
feature telnet
feature tacacs+
feature ospf
feature bgp
feature pbr
feature interface-vlan
feature hsrp
feature lacp
feature vpc
feature sflow
9504-01#

Currently that Nexus has 2 other neighbors talking to it already:

9504-01# sh ip ospf nei
OSPF Process ID 1 VRF default
Total number of neighbors: 2
Neighbor ID Pri State Up Time Address Interface
10.90.3.1 1 FULL/DR 1y9w 10.90.4.2 Po10
10.10.179.251 1 FULL/ - 46w4d 10.90.6.1 Eth2/29.10
9504-01#

Thoughts? Thanks!

MHM Cisco World · ‎07-21-2022

show ip ospf interface brief

can I see this ?

sebbing · ‎07-22-2022

Hi MHM,

9504-01# sh ip ospf int br
OSPF Process ID 1 VRF default
Total number of interface: 20
Interface ID Area Cost State Neighbors Status
Vlan1 9 0.0.0.100 40 DR 0 up
Eth2/1 2 0.0.0.100 400 DOWN 0 down
Eth2/11 11 0.0.0.100 40 DR 0 up
Lo0 8 0.0.0.100 1 LOOPBACK 0 up
Po10 3 0.0.0.100 1 BDR 1 up
Vlan15 5 0.0.0.100 40 DR 0 up
Vlan702 6 0.0.0.100 40 DR 0 up
Vlan1000 7 0.0.0.100 40 DR 0 up
Vlan3000 10 0.0.0.100 40 DR 0 up
Vlan200 4 0.0.0.100 40 DR 0 up
Vlan3 12 0.0.0.100 40 DR 0 up
Vlan5 13 0.0.0.100 40 DR 0 up
Vlan10 14 0.0.0.100 40 DR 0 up
Vlan803 15 0.0.0.100 40 DR 0 up
Vlan806 16 0.0.0.100 40 DR 0 up
Vlan990 17 0.0.0.100 40 DR 0 up
Vlan999 18 0.0.0.100 40 DR 0 up
Vlan3001 19 0.0.0.100 40 DR 0 up
Vlan810 21 0.0.0.100 40 DR 0 up
Eth2/29.10 20 0.0.0.0 4 P2P 1 up

9504-01#

ASA-03# sh ospf int br

Interface PID Area IP Address/Mask Cost State Nbrs F/C
Inside_v3 1 100 10.50.2.5/255.255.255.0 10 DR 0/0
ASA-03#

Thanks!

MHM Cisco World · ‎07-22-2022

both are DR friend!!
first check the network type
reduce the OSPF priority to make Nexus ALWAYS elect as DR.

paul driver · ‎07-22-2022

Hello
A living with the possible mtu mismatch the nexus doesn’t ospf attached to any interface for 10.50.2.0/24

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎07-22-2022

Yes It can but
according to cisco doc. the MTU will check and effect ExStart State, and both neighbor will stuck in this stage.
here he not pass the other stages which include the DR election, if the priority is 0 in both side then sync not happened,
any way I ask him to check and let know his reply.
https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13684-12.html#t1

MHM Cisco World · ‎07-22-2022

ip ospf mtu-ignore

<- check this command for MTU mismatch.

paul driver · ‎07-22-2022

Hello @MHM Cisco World
The OP shows no ospf adjacency even being attempted , no state is shown whatsoever so it cannot be DR/Slave election issue that won’t even attempt to begin until the first two stages (shown in your picture) occurs and if it is failing there then I would say you see it failing in 2way state.
Also I would suggest NOT to use mtu ignore, even though it is viable feature, its been proven it can be harmful and degrading to the network long term establishing OSPF adjacency with mismatching mtu.

Lasty given that both devices do not even share the same address space then is most probably as to why no adjacency is even being attempted, a posting from

debug ip ospf hello/ adjacency&nbsp

should so the issue when the two devices are actually are on the same network to even try to peer with each other.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎07-22-2022

So We now agree on
1- OSPF stage not pass first one
2- ignore MTU is not recommend <<- here I mention it just for troubleshooting, sure he need to fix mismatch.

for the subnet/mask it same he share the config in original post.

anyway,

Vlan3 12 0.0.0.100 40 DR 0 up <- the interface is UP and VLAN 3

and
it stop in DR
I do small lab when the both neighbor is not exchange hello the DR appear in both OSPF Peer.

so point @sebbing must check it
1-trunk between the ASA and NSK must allow VLAN 3
2- CoPP apply to NSK allow OSPF "I see NSK have OSPF with other peers but make double check"
3-Passive-interface is config in both side
for the ASA check the passive-interface

paul driver · ‎07-22-2022

Hello

ASA-03# sh ospf int br
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Inside_v3 1 100 10.50.2.5/255.255.255.0 10 DR 0/0

Where do you see that subnet on the 9504 device?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎07-22-2022

Interface Vlan3
description FIREWALL-INSIDE-Default-Gateway
no shutdown
mtu 9000
no ip redirects
ip address 10.50.2.8/24 <<<-this IP, he use SVI not route port.
no ipv6 redirects
ip router ospf 1 area 0.0.0.100
hsrp version 2
hsrp 3
name FIREWALL-INSIDE
preempt
priority 90
ip 10.50.2.2

paul driver · ‎07-24-2022

Hello
@MHM Cisco World yes i can see it now, how i missed that is beyond me as its even in the OP.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

pman · ‎07-21-2022

Hi,

Is there a chance that there is an MTU mismatch between the ASA and the Nexus?
I noticed that interface Vlan3 is configured with MTU 9000.

please post output of

 show ip ospf 1 event-history adjacency