EIGRP - ASA - DMZ Interface

Josh Edwards · ‎08-03-2012

Hello - I am trying to configure EIGRP on my ASA DMZ Interface - topology as follows:

Inside DMZ

3560x ------ ASA ------- 3560x

e0/1 e0/3.501

The ASA is currently configured for EIGRP with the inside 3560x switch and passing routing updates properly.

However, the ASA will not send/receive routing updates to/from the DMZ 3560x switch - the two devices do establish eigrp neighbor relationship.

Any suggestions would be appreciated.

Thanks.

Josh

ASA Configuration:

!

router eigrp 600

no auto-summary

eigrp router-id 10.100.0.1

network 10.50.10.0 255.255.255.0

network NET-TOWER-TRANSIT-FW-10.100.0.0-24 255.255.255.0

passive-interface default

no passive-interface FW_TRANSIT

no passive-interface DMZ_TEST

redistribute static route-map EIGRP_REDISTRIBUTION_RMAP

!

interface Ethernet0/1

description Internal Tower Networks

nameif FW_TRANSIT

security-level 100

ip address 10.100.0.1 255.255.255.0

!

interface Ethernet0/3

description DMZ physical interface

nameif DMZ_PHYSICAL

security-level 50

no ip address

!

interface Ethernet0/3.510

vlan 510

nameif DMZ_TEST

security-level 50

ip address 10.50.10.254 255.255.255.0

!

DMZ Switch Configuration:

!

router eigrp 600

network 10.50.10.0 0.0.0.255

network 10.50.11.0 0.0.0.255

passive-interface default

no passive-interface Vlan75

no passive-interface Vlan510

eigrp router-id 10.50.255.254

!

interface Vlan510

ip address 10.50.10.1 255.255.255.0

!

Sudeep Valengattil · ‎08-03-2012

Can you try adding "no auto-summary" in DMZ switch, to see if that resolves.

I'm not sure with ASA/firewalls. Hence not sure if I'm missing something on ASA side.

Josh Edwards · ‎08-07-2012

Hi Sudeep - thanks for the suggestion - no auto-summary is default on the version of IOS that I am running.

Josh Edwards · ‎08-07-2012

Some additional information - the neighbor relationship is flapping - it looks like the initial relationship is established but then each device is unable to pass on any update packets - below shows the Queue Count is non-zero.

on the ASA:

TOWER-FW01# sh eigrp ne

EIGRP-IPv4 neighbors for process 600

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

1 10.50.10.1 Et0/3.510 11 00:01:14 1 5000 2 11184

0 10.100.0.253 Et0/1 11 9w0d 4 200 0 8357

on the 3560x:

TOWER-DMZ-01#sh ip eigrp ne

EIGRP-IPv4 Neighbors for AS(600)

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 10.50.10.254 Vl510 14 00:00:18 1 5000 1 0

The ASA is also logging the following error:

Routing failed to locate next hop fro EIGRP from identity:10.50.10.254/0 to FW_TRANSIT:10.50.10.1/0

Another clue - when trying to ping from ASA to 3560x i receive the following:

TOWER-FW01# ping 10.50.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.50.10.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

I am able to ping from the 3560x to the ASA - I don't know why I cannot ping in the other direction

Josh Edwards · ‎08-14-2012

Issue is resolved in another post -

https://supportforums.cisco.com/message/3703561#3703561