Solved: OSPF Connection between ASA 5525 & Nexus 9504s - Page 2

sebbing · ‎07-21-2022

Hello all,

I am having a bit of an issue with trying to get an ASA 5525 to form a neighborship with a Nexus 9504. They can see and communicate with each other via layer2 VLAN connection.

Trying to figure out what I am doing wrong. Here is stippets of the interfaces from the Nexus and the ASA.

Nexus

show interface vlan 3

interface Vlan3
description FIREWALL-INSIDE-Default-Gateway
no shutdown
mtu 9000
no ip redirects
ip address 10.50.2.8/24
no ipv6 redirects
ip router ospf 1 area 0.0.0.100
hsrp version 2
hsrp 3
name FIREWALL-INSIDE
preempt
priority 90
ip 10.50.2.2

ASA

ASA-03# sh run router
router ospf 1
router-id 10.50.2.5
network 10.50.2.0 255.255.255.0 area 100
network 10.60.0.128 255.255.255.128 area 100
area 100
log-adj-changes
!

I guess the question I have is that when I try to put in area 0.0.0.100 on the ASA it transfers it to what you see here with only 100. Is that a big deal on that matter or is it still the same "area"?

I am not sure if it is a problem but the ASA is connected to a 2960 switch, which is then connected to a pair of 93180 layer 2 nexus switches. Those are then connected to the 9504s . Pings and traceroutes go both ways at this point, so I am not sure where the breakdown is happening. Can someone assist me with this?

Thanks!

sebbing · ‎07-22-2022

Hi pman,

I do not show any recent events on the 9504:

9504-01# show ip ospf 1 event-history adjacency

Adjacency events for OSPF Process "ospf-1"
2022 Mar 31 15:00:05.601872 ospf 1 [1156]: : Removing 0 neighbors from Ethernet2/1
2022 Mar 31 14:58:42.580705 ospf 1 [1156]: : Removing 0 neighbors from Ethernet2/1
2022 Mar 28 14:07:16.189578 ospf 1 [1156]: : Removing 0 neighbors from Ethernet2/48
2021 Aug 29 16:39:29.004350 ospf 1 [1156]: : Built reply LSU with 23 LSAs for 10.90.6.1 700 bytes

I do see on the ASA where I could set the mtu to 9000 on the port-channel as it does not seem to be configured at the moment.

ASA-03# sh run int po 1.3
!
interface Port-channel1.3
description <<< VLAN 3 - FIREWALL-INSIDE (10.50.2.0/24) >>>
vlan 3
nameif Inside_v3
security-level 100
ip address 10.50.2.5 255.255.255.0
ASA-03#

If I put the mtu on the interface, would it cause me to drop my connection for a moment I am guessing?

Thanks!

pman · ‎07-22-2022

increasing MTU should not effect, but it is better to do it during off-hours.

If this is the case, and it is a problem related to MTU mismatch cisco provides the

ip ospf mtu-ignore

command.

But it is important for me to point out that this can cause problems.

changing the MTU to a correct number is better.

https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13684-12.html#solution

I suggest looking at a very interesting article by Brian that explains the problem that can arise from implementing this command

https://ine.com/blog/2011-03-30-ospf-and-mtu-mismatch

"Based on this we can see that the

ip ospf mtu-ignore

command is not a fix to the underlying problem. Instead it is simply an exception to the OSPF adjacency state machine. The real fix to this problem is to ensure that the MTU values match between neighbors, which prevents both routing exchange in the control plane, and packet drops due to unsupported sizes in the data plane."

paul driver · ‎07-21-2022

Hello

As stated by @pman mtu needs to be the same to form adjacency.

debug ip ospf adjacency

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

sebbing · ‎07-25-2022

I am looking at my ASA and see on the interface G0/0 that the MTU is 1500. However, I look at the port-channel, and it is set to 9000. Looking for an answer, but haven't found one as of yet.. Do the physical and the port-channel need to be set? Or if you set it on the port-channel, it is not fragmented by the physical interface?

Thanks!

MHM Cisco World · ‎07-25-2022

that explain something,
check the Port-channel is it active or suspend ?

sebbing · ‎07-25-2022

Port-channel is active on both ASA and the mgmt switch it is connected to. When you are passing data on a layer 2 switch, does it pass the MTU size as well?

MHM Cisco World · ‎07-25-2022

active meaning the MTU of member port is override by the port-channel.
NOW from SW


ping PO of ASA using source SVI of VLAN

sebbing · ‎07-25-2022

9504-01# ping 10.50.2.5 source 10.50.2.8
PING 10.50.2.5 (10.50.2.5) from 10.50.2.8: 56 data bytes
64 bytes from 10.50.2.5: icmp_seq=0 ttl=253 time=0.757 ms
64 bytes from 10.50.2.5: icmp_seq=1 ttl=253 time=0.588 ms
64 bytes from 10.50.2.5: icmp_seq=2 ttl=253 time=0.628 ms
64 bytes from 10.50.2.5: icmp_seq=3 ttl=253 time=0.607 ms
64 bytes from 10.50.2.5: icmp_seq=4 ttl=253 time=0.614 ms

--- 10.50.2.5 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 0.588/0.638/0.757 ms
9504-01#

MHM Cisco World · ‎07-25-2022

ping 10.50.2.5 source 10.50.2.8 size 8500 df-bit

same but with MTU size large to check

sebbing · ‎07-25-2022

Interesting results, so I hope we are narrowing down onto what my problem is...

9504-01# ping 10.50.2.5 source 10.50.2.8 packet-size 8500 df-bit
PING 10.50.2.5 (10.50.2.5) from 10.50.2.8: 8500 data bytes
Request 0 timed out
Request 1 timed out
Request 2 timed out
Request 3 timed out
Request 4 timed out

--- 10.50.2.5 ping statistics ---
5 packets transmitted, 0 packets received, 100.00% packet loss
9504-01# ping 10.50.2.5 source 10.50.2.8
PING 10.50.2.5 (10.50.2.5) from 10.50.2.8: 56 data bytes
64 bytes from 10.50.2.5: icmp_seq=0 ttl=253 time=0.803 ms
64 bytes from 10.50.2.5: icmp_seq=1 ttl=253 time=0.664 ms
64 bytes from 10.50.2.5: icmp_seq=2 ttl=253 time=0.597 ms
64 bytes from 10.50.2.5: icmp_seq=3 ttl=253 time=0.6 ms
64 bytes from 10.50.2.5: icmp_seq=4 ttl=253 time=0.896 ms

--- 10.50.2.5 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 0.597/0.712/0.896 ms
9504-01#

Doing even a packet-size of 1600 does not go thru, so it makes me wonder where the packets are stopping due to the limitation..

Trying to figure out how to fix this on the firewall without losing connectivity...

Thanks!

MHM Cisco World · ‎07-25-2022

ok, Now we sure that there is MTU mismatch, but that not prevent the OSPF from send hello (hello message is small)
but you must correct this mismatch, this link can help you
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115003-asa-rec-trans-jef.html

only two ping more need
in NSK


ping 224.0.0.5 source SVI
ping 224.0.0.6 source SVI

this give us more view what issue here

sebbing · ‎07-25-2022

I dont know if I am not doing something right or what, but here is the results of that test and seems to be all I get when I try to ping those IPs.

9504-01# ping 224.0.0.5 source-interface vlan 3
ping: either multicast replicate flag or source interface needs to be specified
9504-01# ping 224.0.0.6 source-interface vlan 3
ping: either multicast replicate flag or source interface needs to be specified
9504-01# ping 224.0.0.6
ping: either multicast replicate flag or source interface needs to be specified

Thanks!

MHM Cisco World · ‎07-25-2022

can you share the config of PO of ASA?

sebbing · ‎07-25-2022

Below is what I get when I do the

sh run int po 1.3

I have put the mtu on the PO but it does not want to seem to go onto the physical interface.

ASA-03# sh run int po 1.3
!
interface Port-channel1.3
description vLAN 3 - UCS-MGT-FIREWALL-INSIDE (10.50.2.0/24)
vlan 3
nameif Inside_v3
security-level 100
ip address 10.50.2.5 255.255.255.0
ASA-03#

ASA-03# show int inside_v3
Interface Port-channel1.3 "Inside_v3", is up, line protocol is up
Hardware is EtherChannel/LACP, BW 2000 Mbps, DLY 10 usec
VLAN identifier 3
Description: vLAN 3 - FIREWALL-INSIDE (10.50.2.0/24)
MAC address c4f7.d554.580f, MTU 9000
IP address 10.50.2.5, subnet mask 255.255.255.0
Traffic Statistics for "Inside_v3":
521274 packets input, 139171196 bytes
214557 packets output, 28194492 bytes
317661 packets dropped
ASA-03#

Thanks!

MHM Cisco World · ‎07-25-2022

for ping use it with then without source

ping multicast multicast-grp-address interface