Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

ASA not advertising OSPF routes to neighbor

I have an ASA that is solely being used to attach to AZURE's VPN

If i attach to the inside network and use as the gateway i can get onto the vpn network.  I'm trying to add this to our core network but the OSPF routes are not being showing up in the ospf database.  Not sure what I'm missing to get the ASA's routes to be advertised.  

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 12.156.x.1
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address
ospf cost 10

object-group network AZURE-NET
description Azure Virtual Network
object-group network ONPREM-NET
description OnPrem Network
access-list AZURE-VPN-ACL extended permit ip object-group ONPREM-NET object-group AZURE-NET

nat (inside,outside) source static ONPREM-NET ONPREM-NET destination static AZURE-NET AZURE-NET

router ospf 1000
network area 0
network area 0
area 0 range
area 0 range

From the ASA:

show ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface         1   FULL/DR         0:00:32       inside

From the neighbor router:

6301-CORESWX-1# show ip ospf neighbor 

 OSPF Neighbor Information

  Router ID       Pri IP Address      NbIfState State    QLen  Events Status

  --------------- --- --------------- --------- -------- ----- ------ ------       128        DR        FULL     0     7      None       1       BDR       FULL     0     6      None  


ciscoasa# show ospf database

       OSPF Router with ID ( (Process ID 1000)

Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count       325         0x80000042 0x5635 1       1020        0x80000205 0x8dbc 4       371         0x8000013a 0xa3eb 2

Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum       333         0x80000064 0x236a       541         0x80000046 0x 995

Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum       783         0x80000067 0x 191       2921        0x80000066 0xf79a       2771        0x80000066 0xd14f       2283        0x80000066 0xf8e6

12.156.x.2       2621        0x80000066 0x737c       72          0x80000067 0xc42f

Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag       1682        0x800000a6 0xe5fc 0       1502        0x800001e4 0xe4b4 0       1502        0x800001e4 0xd8bf 0       1262        0x800001e4 0x202b 0


ciscoasa# show route

Gateway of last resort is 12.156.x.3 to network

O IA [110/12] via, 2:57:28, inside

O E2 [110/10] via, 2:57:28, inside

O E2 [110/10] via, 2:57:28, inside

O [110/11] via, 2:57:28, inside

C is directly connected, inside

O [110/11] via, 2:57:28, inside

O [110/11] via, 2:57:28, inside

O [110/11] via, 2:57:28, inside

O IA [110/12] via, 2:57:28, inside

O IA [110/12] via, 2:57:28, inside

O IA [110/12] via, 2:57:28, inside

O E2 [110/10] via, 2:57:28, inside

O IA [110/12] via, 2:57:28, inside

C    12.156.x.2 is directly connected, outside

S* [1/0] via, outside

Jon Marshall
Hall of Fame Guru

So you mean there is no route for being advertised to the internal network. Is that correct ? If so it is because there is no interface on the ASA with an IP from that range.

The network statement in OSPF does not tell it what networks to advertise, it tells it which interfaces to run OPSF on and then OSPF will advertise the subnet and subnet mask configured on the interface. You don't have this so it won't advertise that subnet.

There are a number of alternatives but can you confirm that the above is the issue.


Thanks Jon, 

That makes sense. is the network on the other side of the VPN tunnel through the ASA.  Not a local network attached to an interface.  Would it still be possible to use OSPF to point traffic intended for that network?

It would and there are a few alternatives.

You could use a static route either on the core switch pointing to the ASA or on the ASA and redistribute into OSPF. If you put it on the core switch then you would need to track the route but as the firewall is only used for that VPN you may not feel it is worth it. If you add it to the ASA and redistribute you would want to use a filter to make sure only that static was redistributed.

However there is also something called Reverse Route Injection (RRI) on the ASA used for this very purpose which would allow you to advertise the VPN subnet into OSPF. However I have never used it and don't know if it has certain restrictions so can't say for sure it would work but it sounds like that would be the way to go if possible.

Sorry I can't be more specific but at least you should be able to get it working using one of the above suggestions.

Any more queries just let me know.