strange Problem in EIGRP

jeffar.gh · ‎02-14-2015

hi

i run eigrp between office router and branches router i have one asa firewall on edge network.

i have about 50 static route on asa and i redistribute in eigrp and everything work fine.

about a week ago i saw many of my branch is disconnect, i check my office router and branch router, route of my branch is advertise normally but route from office router not receive on branch router.

i check every thing to find problem, and finally i understand the problem from my asa, when i remove the static route, my network back to normal work, and when i add static route the problem is back

Jon Marshall · ‎02-14-2015

Need more information.

How are the office and branch connected ?

What is the WAN ie. is it MPLS ?

If so how do you exchange routes between the office and the branch ?

Where is the ASA in relation to this ?

What routes are you redistributing into EIGRP on the ASA and why ?

Really need to understand how your network is laid out to help you.

Jon

jeffar.gh · ‎02-14-2015

i have 4 type link between branch and office:

1.ptp link with radio

2.ptmp link

3.wimax

4.MPLS

some branch use one link and some use 2 or 3 link

i have this problem on wimax link only

for security reason in branch employee can access to special website and with asa i redistribute ip address of this websites on EIGRP

ASA like Router on the same EIGRP AS

between Office and branch i use IPSec Tunnel

Jon Marshall · ‎02-14-2015

How are you exchanging routes over IPSEC ?

Is it a GRE tunnel ?

The route you removed from the ASA, what was it ?

When you say the branch didn't get the route which route are you talking about ie. the one on the ASA or a route for the main office ?

Jon

jeffar.gh · ‎02-14-2015

i use ipsec tunnel

i Remove static route on asa (for many website i have static route to ip address of website)

in branch i advertise lan ip address like 10.1.1.0/24 and in office advertise lan ip address like 10.0.0.0/24

when this problem happen, in office routing table i have route to 10.1.1.1/24 but in branch routing table i don't have route to 10.0.0.0/24

i don't understand what you mean from this question?(How are you exchanging routes over IPSEC ?)

Jon Marshall · ‎02-14-2015

IPSEC does not support multicast and EIGRP uses multicast so I assumed you were using a GRE tunnel with IPSEC so you could exchange routes.

So which route do you remove off the ASA to get the office route back in the branch ?

Jon

jeffar.gh · ‎02-14-2015

yes i use gre tunnel with ipsec

i remove one by one but i don't find special route, when i remove all static routes , then problem gone

Jon Marshall · ‎02-14-2015

Okay I'm going to need more than that to help out.

So -

1) what does the network look like at the main office ie. the router that has the GRE tunnel from the branch, what does that connect to internally.

Do you have a L3 switch ?

Basically the subnet the branch does not receive, what is the L3 device in the main office that routes that subnet.

2) Where in relation to the above does the ASA connect to ?

If all the routes you redistribute on the ASA are internet IPs then I can't see at the moment how this would affect the advertisements to the branch for the main office subnet especially as the subnet is using private addressing and the IPs added to the ASA were public IPs.

Were there any static routes on the ASA that were for private IPs or subnets ?

Also when you removed them one by one and couldn't find the problem where did you get to ie. if you removed them one by one then eventually you will have removed them all so I'm not clear when you say the only solution was to remove them all.

Jon

jeffar.gh · ‎02-15-2015

my network like this picture

i don't have L3 Switch in main office i use Router 3945

and on asa i don't have any static to private ip or subnet.

when this problem happen, in branch Router i don't see any route from EIGRP

thank you