07-21-2022 01:25 PM - last edited on 08-02-2022 10:41 PM by Translator
Hello all,
I am having a bit of an issue with trying to get an ASA 5525 to form a neighborship with a Nexus 9504. They can see and communicate with each other via layer2 VLAN connection.
Trying to figure out what I am doing wrong. Here is stippets of the interfaces from the Nexus and the ASA.
Nexus
show interface vlan 3
interface Vlan3
description FIREWALL-INSIDE-Default-Gateway
no shutdown
mtu 9000
no ip redirects
ip address 10.50.2.8/24
no ipv6 redirects
ip router ospf 1 area 0.0.0.100
hsrp version 2
hsrp 3
name FIREWALL-INSIDE
preempt
priority 90
ip 10.50.2.2
ASA
ASA-03# sh run router
router ospf 1
router-id 10.50.2.5
network 10.50.2.0 255.255.255.0 area 100
network 10.60.0.128 255.255.255.128 area 100
area 100
log-adj-changes
!
I guess the question I have is that when I try to put in area 0.0.0.100 on the ASA it transfers it to what you see here with only 100. Is that a big deal on that matter or is it still the same "area"?
I am not sure if it is a problem but the ASA is connected to a 2960 switch, which is then connected to a pair of 93180 layer 2 nexus switches. Those are then connected to the 9504s . Pings and traceroutes go both ways at this point, so I am not sure where the breakdown is happening. Can someone assist me with this?
Thanks!
Solved! Go to Solution.
07-25-2022 01:52 PM
I inform you in my previous post that check this point,
anyway
I am so glad you get the issue,
Yes Passive making NSK not send Hello and never establish the OSPF.
no passive this interface and check the OSPF.
07-21-2022 02:55 PM - last edited on 08-02-2022 10:45 PM by Translator
feature ospf
<- are you enable OSPF in Nexus ?
07-21-2022 03:36 PM - last edited on 08-02-2022 10:44 PM by Translator
Hi MHM,
We do have the feature enabled on the Nexus. We currently have it doing OSPF for many other networks, I just seem to be having an issue with getting this neighbor adjacency done.
9504-01# sh run | i feature
feature telnet
feature tacacs+
feature ospf
feature bgp
feature pbr
feature interface-vlan
feature hsrp
feature lacp
feature vpc
feature sflow
9504-01#
Currently that Nexus has 2 other neighbors talking to it already:
9504-01# sh ip ospf nei
OSPF Process ID 1 VRF default
Total number of neighbors: 2
Neighbor ID Pri State Up Time Address Interface
10.90.3.1 1 FULL/DR 1y9w 10.90.4.2 Po10
10.10.179.251 1 FULL/ - 46w4d 10.90.6.1 Eth2/29.10
9504-01#
Thoughts? Thanks!
07-21-2022 03:51 PM - last edited on 08-02-2022 10:46 PM by Translator
show ip ospf interface brief
can I see this ?
07-22-2022 05:33 AM - last edited on 08-02-2022 10:47 PM by Translator
Hi MHM,
9504-01# sh ip ospf int br
OSPF Process ID 1 VRF default
Total number of interface: 20
Interface ID Area Cost State Neighbors Status
Vlan1 9 0.0.0.100 40 DR 0 up
Eth2/1 2 0.0.0.100 400 DOWN 0 down
Eth2/11 11 0.0.0.100 40 DR 0 up
Lo0 8 0.0.0.100 1 LOOPBACK 0 up
Po10 3 0.0.0.100 1 BDR 1 up
Vlan15 5 0.0.0.100 40 DR 0 up
Vlan702 6 0.0.0.100 40 DR 0 up
Vlan1000 7 0.0.0.100 40 DR 0 up
Vlan3000 10 0.0.0.100 40 DR 0 up
Vlan200 4 0.0.0.100 40 DR 0 up
Vlan3 12 0.0.0.100 40 DR 0 up
Vlan5 13 0.0.0.100 40 DR 0 up
Vlan10 14 0.0.0.100 40 DR 0 up
Vlan803 15 0.0.0.100 40 DR 0 up
Vlan806 16 0.0.0.100 40 DR 0 up
Vlan990 17 0.0.0.100 40 DR 0 up
Vlan999 18 0.0.0.100 40 DR 0 up
Vlan3001 19 0.0.0.100 40 DR 0 up
Vlan810 21 0.0.0.100 40 DR 0 up
Eth2/29.10 20 0.0.0.0 4 P2P 1 up
9504-01#
ASA-03# sh ospf int br
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Inside_v3 1 100 10.50.2.5/255.255.255.0 10 DR 0/0
ASA-03#
Thanks!
07-22-2022 06:02 AM - edited 07-22-2022 11:58 AM
both are DR friend!!
first check the network type
reduce the OSPF priority to make Nexus ALWAYS elect as DR.
07-22-2022 06:34 AM
Hello
A living with the possible mtu mismatch the nexus doesn’t ospf attached to any interface for 10.50.2.0/24
07-22-2022 07:09 AM
Yes It can but
according to cisco doc. the MTU will check and effect ExStart State, and both neighbor will stuck in this stage.
here he not pass the other stages which include the DR election, if the priority is 0 in both side then sync not happened,
any way I ask him to check and let know his reply.
https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13684-12.html#t1
07-22-2022 01:21 PM - last edited on 08-02-2022 10:49 PM by Translator
ip ospf mtu-ignore
<- check this command for MTU mismatch.
07-22-2022 03:47 PM - last edited on 08-02-2022 10:54 PM by Translator
Hello @MHM Cisco World
The OP shows no ospf adjacency even being attempted , no state is shown whatsoever so it cannot be DR/Slave election issue that won’t even attempt to begin until the first two stages (shown in your picture) occurs and if it is failing there then I would say you see it failing in 2way state.
Also I would suggest NOT to use mtu ignore, even though it is viable feature, its been proven it can be harmful and degrading to the network long term establishing OSPF adjacency with mismatching mtu.
Lasty given that both devices do not even share the same address space then is most probably as to why no adjacency is even being attempted, a posting from
debug ip ospf hello/ adjacency 
should so the issue when the two devices are actually are on the same network to even try to peer with each other.
07-22-2022 04:22 PM - last edited on 08-02-2022 10:57 PM by Translator
So We now agree on
1- OSPF stage not pass first one
2- ignore MTU is not recommend <<- here I mention it just for troubleshooting, sure he need to fix mismatch.
for the subnet/mask it same he share the config in original post.
anyway,
Vlan3 12 0.0.0.100 40 DR 0 up <- the interface is UP and VLAN 3
and
it stop in DR
I do small lab when the both neighbor is not exchange hello the DR appear in both OSPF Peer.
so point @sebbing must check it
1-trunk between the ASA and NSK must allow VLAN 3
2- CoPP apply to NSK allow OSPF "I see NSK have OSPF with other peers but make double check"
3-Passive-interface is config in both side
for the ASA check the passive-interface
07-22-2022 04:31 PM - last edited on 08-02-2022 11:01 PM by Translator
Hello
ASA-03# sh ospf int br Interface PID Area IP Address/Mask Cost State Nbrs F/C
Inside_v3 1 100 10.50.2.5/255.255.255.0 10 DR 0/0
Where do you see that subnet on the 9504 device?
07-22-2022 04:33 PM - last edited on 08-02-2022 11:02 PM by Translator
Interface Vlan3
description FIREWALL-INSIDE-Default-Gateway
no shutdown
mtu 9000
no ip redirects
ip address 10.50.2.8/24 <<<-this IP, he use SVI not route port.
no ipv6 redirects
ip router ospf 1 area 0.0.0.100
hsrp version 2
hsrp 3
name FIREWALL-INSIDE
preempt
priority 90
ip 10.50.2.2
07-24-2022 01:20 AM
Hello
@MHM Cisco World yes i can see it now, how i missed that is beyond me as its even in the OP.
07-21-2022 10:59 PM - last edited on 08-02-2022 11:03 PM by Translator
Hi,
Is there a chance that there is an MTU mismatch between the ASA and the Nexus?
I noticed that interface Vlan3 is configured with MTU 9000.
please post output of
show ip ospf 1 event-history adjacency
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide