Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2092
Views
0
Helpful
5
Replies

ASA OSPF routes not advertised on all interfaces

hm7
Level 1
Level 1

‎02-02-2018 12:54 AM - edited ‎03-08-2019 01:40 PM

Hello everyone,

 

i have an issue with OSPF on the ASA. To illustrate the setup I have created this sketch:

asa-ospf-problem.png

The OSPF configuration on the ASA is simple. There is only one OSPF process configured and all interfaces are in area 0.

 

The option "Enable traffic between two or more interfaces which are configured with the same security levels" is enabled but as far as I know this is only relevant for firewall rules.

 

Do I need to configure a second OSPF process?

One OSPF process for the outside interfaces and one OSPF process for the inside interface and then redistribute between the two?

 

Thanks for your help!

 

best regards,

Harald

Labels:
0 Helpful
5 Replies 5

Flavio Miranda
VIP
VIP

‎02-02-2018 02:39 AM

Hi

Yiu don't have to, unless your environment ask to for some reason.

 Take a look on the interfaces and make sure it is not configured as "passive interface". If not, make sure you have OSPF adjacency with the next peer.

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

hm7
Level 1
Level 1
In response to Flavio Miranda

‎02-02-2018 03:52 AM

The OSPF adjacencies are up in all three directions.

 

The routes which originate from the inside router can be seen on both outside routers. Routes originating from outside routers can be seen on the inside router.

 

This only affects prefixes originating from outside routers...

0 Helpful

Flavio Miranda
VIP
VIP
In response to hm7

‎02-02-2018 04:14 AM

Did you use "redistribute" command:

redistribute connected

redistribute static

redistribute ospf

 

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Flavio Miranda

‎02-02-2018 05:45 AM

We do not have much detail to work with here and that makes it difficult to give good advice. Perhaps Harald can provide more information including at least the config of the interfaces and of OSPF. Also the output of show ip ospf and of show ip ospf interface.

 

HTH

 

Rick

HTH

Rick
0 Helpful

hm7
Level 1
Level 1
In response to Richard Burts

‎02-07-2018 12:51 AM

Hello everyone,

 

sorry for my very late reply but I was sick for a few days and away from the console... :-)

Here is some more information with config snippets and some OSPF output.

 

Cisco ASA OSPF Config:

 

router ospf 1
router-id 172.23.249.166
network 172.23.249.160 255.255.255.248 area 0
network 172.23.249.200 255.255.255.248 area 0
network 172.23.250.0 255.255.255.0 area 0
network 192.168.95.144 255.255.255.240 area 0
network 195.122.160.16 255.255.255.240 area 0
area 0
log-adj-changes
!
interface TenGigabitEthernet0/8.510
vlan 510
nameif inside-te08.510
security-level 100
ip address 172.23.249.166 255.255.255.248 standby 172.23.249.165
!
interface TenGigabitEthernet0/9.415
vlan 415
nameif outside-te09.415
security-level 10
ip address 172.23.250.1 255.255.255.0 standby 172.23.250.2
!
interface TenGigabitEthernet0/9.416
vlan 416
nameif outside-te09.416
security-level 10
ip address 172.23.249.201 255.255.255.248 standby 172.23.249.202

 

Output of "show ospf interface" on the ASA:

 

outside-te09.416 is up, line protocol is up
Internet Address 172.23.249.201 mask 255.255.255.248, Area 0
Process ID 1, Router ID 172.23.249.166, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DROTHER, Priority 1
Designated Router (ID) 172.23.249.205, Interface address 172.23.249.205
Backup Designated router (ID) 172.23.249.204, Interface address 172.23.249.204
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 0:00:03
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 5/5, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 40
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 2, Adjacent neighbor count is 2
Adjacent with neighbor 172.23.249.204 (Backup Designated Router)
Adjacent with neighbor 172.23.249.205 (Designated Router)
Suppress hello for 0 neighbor(s)
outside-te09.415 is up, line protocol is up
Internet Address 172.23.250.1 mask 255.255.255.0, Area 0
Process ID 1, Router ID 172.23.249.166, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DROTHER, Priority 1
Designated Router (ID) 195.122.160.19, Interface address 172.23.250.252
Backup Designated router (ID) 195.122.160.18, Interface address 172.23.250.253
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 0:00:06
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 40
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 2, Adjacent neighbor count is 2
Adjacent with neighbor 195.122.160.18 (Backup Designated Router)
Adjacent with neighbor 195.122.160.19 (Designated Router)
Suppress hello for 0 neighbor(s)
inside-te08.510 is up, line protocol is up
Internet Address 172.23.249.166 mask 255.255.255.248, Area 0
Process ID 1, Router ID 172.23.249.166, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 172.20.20.201, Interface address 172.23.249.161
Backup Designated router (ID) 172.23.249.166, Interface address 172.23.249.166
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 0:00:08
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 2, maximum is 38
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 172.20.20.201 (Designated Router)
Suppress hello for 0 neighbor(s)

 

Outside Router 1 OSPF Config:

 

interface Vlan415
ip address 172.23.250.252 255.255.255.0
glbp 415 ip 172.23.250.254
glbp 415 preempt
glbp 415 weighting 50
!
router ospf 2
log-adjacency-changes
auto-cost reference-bandwidth 20000
redistribute static metric-type 1 subnets
passive-interface default
no passive-interface Vlan415
network 172.23.249.248 0.0.0.3 area 0
network 172.23.250.0 0.0.0.255 area 0
network 172.23.251.48 0.0.0.7 area 0
network 195.122.160.16 0.0.0.15 area 0

Output of "show ip ospf interface" on Outside Router 1:

Vlan415 is up, line protocol is up
Internet Address 172.23.250.252/24, Area 0
Process ID 2, Router ID 195.122.160.19, Network Type BROADCAST, Cost: 20
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 195.122.160.19, Interface address 172.23.250.252
Backup Designated router (ID) 195.122.160.18, Interface address 172.23.250.253
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:02
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 40
Last flood scan time is 0 msec, maximum is 4 msec
Neighbor Count is 2, Adjacent neighbor count is 2
Adjacent with neighbor 172.23.249.166
Adjacent with neighbor 195.122.160.18 (Backup Designated Router)
Suppress hello for 0 neighbor(s)

Outside Router 2 OSPF Config:

interface Vlan416
ip address 172.23.249.204 255.255.255.248
ip flow ingress
!
interface Vlan702
ip address 172.23.249.109 255.255.255.252
no ip redirects
no ip proxy-arp
!
router ospf 3
router-id 172.23.249.204
log-adjacency-changes
auto-cost reference-bandwidth 20000
redistribute static metric-type 1 subnets
passive-interface default
no passive-interface Vlan416
network 172.23.249.108 0.0.0.3 area 0
network 172.23.249.200 0.0.0.7 area 0

 

Output of "show ip ospf interface" on Outside Router 2:

 

Vlan416 is up, line protocol is up
Internet Address 172.23.249.204/29, Area 0
Process ID 3, Router ID 172.23.249.204, Network Type BROADCAST, Cost: 20
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 172.23.249.205, Interface address 172.23.249.205
Backup Designated router (ID) 172.23.249.204, Interface address 172.23.249.204
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:01
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 3/3, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 1
Last flood scan time is 0 msec, maximum is 4 msec
Neighbor Count is 2, Adjacent neighbor count is 2
Adjacent with neighbor 172.23.249.166
Adjacent with neighbor 172.23.249.205 (Designated Router)
Suppress hello for 0 neighbor(s)

 

I hope this information helps to troubleshoot further!

 

cheers,
Harald

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card