Re: OSPF Return Traffic Issue

MohammadSalih · ‎10-28-2024

hi every one,

i have this topology and it works good but i face issue with it.

the topology is attached in below.

the upper side running DMVPN with EIGRP

ASR-1,ASR-2-ASR-B are the hubs

routers (106,183,11) are the Spokes

and the lower side running OSPF .

Redistribution is running between OSPF and EIGRP.

ASR-1 is primary for DMVPN and OSPF Routes ,ASR-2 is second and ASR-B is Third

the ping is work fine form 10.11.0.0/16 to 172.29.29.21 and opposite as well thru ASR-1

when i try to test if Shutdown ASR-1 Traffic automatically changed to ASR-2 and it work good.

the problem is when i shutdown the ISP-1, DMVPN Spokes disconnect form ASR-1 and change to ASR-2 and when i try to ping

from 172.29.29.21(9K) to 10.11.0.0/16 (Spoke) send the packet to ASR-1 , But ASR-1 didn't no the way to 10.11.0.0/16 becouse the DMVPN down ASR-1 with all Spokes.

Verfication:

ASR-1

sh ip route

10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
O 10.0.125.3/32 [110/21] via 172.29.29.6, 02:28:27, Ethernet0/1.101
O 10.0.125.130/32 [110/21] via 172.29.29.6, 02:28:27, Ethernet0/1.101
C 10.120.98.0/24 is directly connected, Ethernet0/0.120
L 10.120.98.17/32 is directly connected, Ethernet0/0.120
S 10.120.168.0/24 [1/0] via 10.120.98.10
172.1.0.0/24 is subnetted, 1 subnets
S 172.1.50.0 [1/0] via 172.22.8.10
172.22.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.22.8.0/24 is directly connected, Ethernet0/0.172
L 172.22.8.6/32 is directly connected, Ethernet0/0.172
172.29.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.29.29.0/24 is directly connected, Ethernet0/1.101
L 172.29.29.1/32 is directly connected, Ethernet0/1.101
O 172.29.29.21/32 [110/21] via 172.29.29.6, 02:28:27, Ethernet0/1.101
172.31.0.0/16 is variably subnetted, 6 subnets, 2 masks
C 172.31.101.0/24 is directly connected, Tunnel10101
L 172.31.101.254/32 is directly connected, Tunnel10101
C 172.31.102.0/24 is directly connected, Tunnel10201
L 172.31.102.254/32 is directly connected, Tunnel10201
C 172.31.105.0/24 is directly connected, Tunnel10501
L 172.31.105.254/32 is directly connected, Tunnel10501
192.168.4.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.4.0/24 is directly connected, Ethernet0/0.4
L 192.168.4.1/32 is directly connected, Ethernet0/0.4
S 192.168.5.0/24 [1/0] via 192.168.4.10

ASR-2

sh ip route

10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
O 10.0.125.3/32 [110/21] via 172.29.29.6, 02:12:57, Ethernet0/1.101
O 10.0.125.130/32 [110/21] via 172.29.29.6, 02:12:57, Ethernet0/1.101
D 10.11.7.0/24 [90/25781760] via 172.31.105.11, 00:41:23, Tunnel10501
D 10.11.107.0/24 [90/25781760] via 172.31.105.11, 00:41:23, Tunnel10501
D 10.106.7.0/24 [90/25781760] via 172.31.105.106, 00:41:27, Tunnel10501
D 10.106.107.0/24
[90/25781760] via 172.31.105.106, 00:41:27, Tunnel10501
C 10.120.98.0/24 is directly connected, Ethernet0/0.120
L 10.120.98.16/32 is directly connected, Ethernet0/0.120
S 10.120.168.0/24 [1/0] via 10.120.98.10
D 10.183.7.0/24 [90/25781760] via 172.31.105.183, 00:41:25, Tunnel10501
D 10.183.107.0/24
[90/25781760] via 172.31.105.183, 00:41:25, Tunnel10501
172.1.0.0/24 is subnetted, 1 subnets
S 172.1.50.0 [1/0] via 172.22.8.10
172.22.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.22.8.0/24 is directly connected, Ethernet0/0.172
L 172.22.8.5/32 is directly connected, Ethernet0/0.172
172.29.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.29.29.0/24 is directly connected, Ethernet0/1.101
L 172.29.29.2/32 is directly connected, Ethernet0/1.101
O 172.29.29.21/32 [110/21] via 172.29.29.6, 02:12:57, Ethernet0/1.101
172.31.0.0/16 is variably subnetted, 6 subnets, 2 masks
C 172.31.101.0/24 is directly connected, Tunnel10101
L 172.31.101.253/32 is directly connected, Tunnel10101
C 172.31.102.0/24 is directly connected, Tunnel10201
L 172.31.102.253/32 is directly connected, Tunnel10201
C 172.31.105.0/24 is directly connected, Tunnel10501
L 172.31.105.253/32 is directly connected, Tunnel10501
192.168.4.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.4.0/24 is directly connected, Ethernet0/0.4
L 192.168.4.2/32 is directly connected, Ethernet0/0.4
S 192.168.5.0/24 [1/0] via 192.168.4.10

ASR-B

sh ip route

10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
O 10.0.125.3/32 [110/21] via 172.29.29.6, 02:13:39, Ethernet0/1.101
O 10.0.125.130/32 [110/21] via 172.29.29.6, 02:13:39, Ethernet0/1.101
D 10.11.7.0/24 [90/25807360] via 172.31.105.11, 00:42:06, Tunnel10501
D 10.11.107.0/24 [90/25807360] via 172.31.105.11, 00:42:06, Tunnel10501
D 10.106.7.0/24 [90/25807360] via 172.31.105.106, 00:42:09, Tunnel10501
D 10.106.107.0/24
[90/25807360] via 172.31.105.106, 00:42:09, Tunnel10501
S 10.120.98.0/24 [1/0] via 123.123.123.2
C 10.120.168.0/24 is directly connected, Ethernet0/0.120
L 10.120.168.132/32 is directly connected, Ethernet0/0.120
D 10.183.7.0/24 [90/25807360] via 172.31.105.183, 00:42:07, Tunnel10501
D 10.183.107.0/24
[90/25807360] via 172.31.105.183, 00:42:07, Tunnel10501
123.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 123.123.123.0/24 is directly connected, Ethernet0/0.123
L 123.123.123.1/32 is directly connected, Ethernet0/0.123
172.1.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.1.50.0/24 is directly connected, Ethernet0/0.172
L 172.1.50.1/32 is directly connected, Ethernet0/0.172
172.22.0.0/24 is subnetted, 1 subnets
S 172.22.8.0 [1/0] via 123.123.123.2
172.29.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.29.29.0/24 is directly connected, Ethernet0/1.101
L 172.29.29.3/32 is directly connected, Ethernet0/1.101
O 172.29.29.21/32 [110/21] via 172.29.29.6, 02:13:39, Ethernet0/1.101
172.31.0.0/16 is variably subnetted, 6 subnets, 2 masks
C 172.31.101.0/24 is directly connected, Tunnel10101
L 172.31.101.252/32 is directly connected, Tunnel10101
C 172.31.102.0/24 is directly connected, Tunnel10201
L 172.31.102.252/32 is directly connected, Tunnel10201
C 172.31.105.0/24 is directly connected, Tunnel10501
L 172.31.105.252/32 is directly connected, Tunnel10501
S 192.168.4.0/24 [1/0] via 123.123.123.2
192.168.5.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.5.0/24 is directly connected, Ethernet0/0.5
L 192.168.5.2/32 is directly connected, Ethernet0/0.5

FTD-1

sh ip route

10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
O 10.0.125.3/32 [110/11] via 172.16.29.2, 02:37:28, Ethernet0/1
O 10.0.125.130/32 [110/11] via 172.16.29.2, 02:37:28, Ethernet0/1
O E2 10.11.7.0/24 [110/20] via 172.29.29.1, 00:13:51, Ethernet0/0.101
O E2 10.11.107.0/24 [110/20] via 172.29.29.1, 00:13:51, Ethernet0/0.101
O E2 10.106.7.0/24 [110/20] via 172.29.29.1, 00:13:51, Ethernet0/0.101
O E2 10.106.107.0/24 [110/20] via 172.29.29.1, 00:13:51, Ethernet0/0.101
O E2 10.183.7.0/24 [110/20] via 172.29.29.1, 00:13:50, Ethernet0/0.101
O E2 10.183.107.0/24 [110/20] via 172.29.29.1, 00:13:50, Ethernet0/0.101
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 172.16.29.0/30 is directly connected, Ethernet0/1
L 172.16.29.1/32 is directly connected, Ethernet0/1
C 172.16.29.4/30 is directly connected, Ethernet0/2
L 172.16.29.5/32 is directly connected, Ethernet0/2
172.29.0.0/16 is variably subnetted, 6 subnets, 2 masks
C 172.29.29.0/24 is directly connected, Ethernet0/0.101
O 172.29.29.1/32 [110/1000] via 172.29.29.1, 02:14:12, Ethernet0/0.101
O 172.29.29.2/32 [110/1010] via 172.29.29.1, 02:14:12, Ethernet0/0.101
O 172.29.29.3/32 [110/1010] via 172.29.29.1, 02:14:12, Ethernet0/0.101
L 172.29.29.6/32 is directly connected, Ethernet0/0.101
O 172.29.29.21/32 [110/11] via 172.16.29.2, 02:37:28, Ethernet0/1
192.168.10.0/32 is subnetted, 1 subnets
O 192.168.10.254 [110/11] via 172.16.29.6, 02:37:28, Ethernet0/2
192.168.18.0/32 is subnetted, 1 subnets
O 192.168.18.254 [110/11] via 172.16.29.6, 02:37:28, Ethernet0/2
192.168.19.0/32 is subnetted, 1 subnets
O 192.168.19.254 [110/11] via 172.16.29.6, 02:37:28, Ethernet0/2

_________________________________________________________

any suggestions?

MHM Cisco World · ‎10-28-2024

Do you use if-state nhrp?

MHM

Cristian Matei · ‎10-28-2024

Hi,

His issue looks to be related to routing or something within these lines, but behind the hubs. How could "if-state nhrp", which is a spoke feature, be related to this scenario?

Thanks,

Cristian.

Cristian Matei · ‎10-28-2024

Hi,

Could you post OSPF and EIGRP configuration for all hubs(including any prefix-lists or route-maps that you may have ben using for redistribution)?

Additionally, when you perform the test with ISP-1 going down, collect and post following outputs from all hubs: " show ip route", "show ip ospf database external 10.11.7.0", "show ip ospf rib 10.11.7.0 255.255.255.0", "show eigrp address-family ipv4 topology 10.11.7.0/24"; also after ISP-1 goes down, collect and post following outputs from FTD1 LINA CLI: "show route", "show ospf database external 10.11.7.0".

Best,

Cristian.

MohammadSalih · ‎10-29-2024

thanks for replying

the problem is on the FTD-1 i prefer the path to ASR-1, and because ISP-1 SW is Shutdown ASR-1 cannot learned eigrp router from spokes so 172.29.29.21(9K) Cannot reach 10.11.0.0/16 (Spoke)

i fixed it by matching routes on FTD-1 coming from ASR-1,ASR-2 and ASR-B and set metric to each one .

Cristian Matei · ‎10-29-2024

Hi,

Glad you fixed it, however, there might me something lurking there in your configs and might run into problems down the road. I'm saying this as once ISP-1 is down, ASR-1 EIGRP adjacency should go down, so ASR-1 should no longer have any EIGRP routes in RIB, thus no longer redistribute EIGRP routes into OSPF. So how come FTD was routing via OSPF through ASR-1, it doesn't make sense.

Plus, when you have multiple redistribution points, without proper route-control, you'll end up into temporar or permanent routing loops when certain events happen, situation called race condition.

Best,

Cristian.

MohammadSalih · ‎10-30-2024

Hi,

FTD-1 is receiving Routes form ASR-1,ASR-2 and ASR-B, i set ospf cost on FTD-1 to prefer ASR-1.

as you say, once ISP-1 is down, ASR-1 EIGRP adjacency is down so ASR-1 should no longer have any EIGRP routes in RIB, thus no longer redistribute EIGRP routes into OSPF.

the issue is when i ping form spoke router to any network in the 9K networks like 172.29.29.21 the ping not working because the traffic when it reaches to FTD-1 via ASR-2 (ASR-1 not have any EIGRP routes from spokes),

the FTD-1 send traffic back to ASR-1(preferred path) because of that the traffic getting dropped .

so i solved the problem by tagging the traffic from each ASR and match the tag on the FTD-1 and set cost to each one by preferring

ASR-1 , so when ISP-1 goes down ASR-1 will no longer send routes to FTD-1 .

in this case FTD-1 will select routes from ASR-2.

hopefully it does make sense for you.

thanks again for your interest.

MHM Cisco World · ‎10-30-2024

this if both ISP is UP instead of using cost use metric when you redistribute the OSPF into EIGRP
and use delay when you redistribute the EIGRP into OSPF.