08-03-2012 10:24 AM - edited 03-07-2019 08:08 AM
Hello - I am trying to configure EIGRP on my ASA DMZ Interface - topology as follows:
Inside DMZ
3560x ------ ASA ------- 3560x
e0/1 e0/3.501
The ASA is currently configured for EIGRP with the inside 3560x switch and passing routing updates properly.
However, the ASA will not send/receive routing updates to/from the DMZ 3560x switch - the two devices do establish eigrp neighbor relationship.
Any suggestions would be appreciated.
Thanks.
Josh
ASA Configuration:
!
router eigrp 600
no auto-summary
eigrp router-id 10.100.0.1
network 10.50.10.0 255.255.255.0
network NET-TOWER-TRANSIT-FW-10.100.0.0-24 255.255.255.0
passive-interface default
no passive-interface FW_TRANSIT
no passive-interface DMZ_TEST
redistribute static route-map EIGRP_REDISTRIBUTION_RMAP
!
interface Ethernet0/1
description Internal Tower Networks
nameif FW_TRANSIT
security-level 100
ip address 10.100.0.1 255.255.255.0
!
interface Ethernet0/3
description DMZ physical interface
nameif DMZ_PHYSICAL
security-level 50
no ip address
!
interface Ethernet0/3.510
vlan 510
nameif DMZ_TEST
security-level 50
ip address 10.50.10.254 255.255.255.0
!
DMZ Switch Configuration:
!
router eigrp 600
network 10.50.10.0 0.0.0.255
network 10.50.11.0 0.0.0.255
passive-interface default
no passive-interface Vlan75
no passive-interface Vlan510
eigrp router-id 10.50.255.254
!
interface Vlan510
ip address 10.50.10.1 255.255.255.0
!
08-03-2012 11:42 PM
Can you try adding "no auto-summary" in DMZ switch, to see if that resolves.
I'm not sure with ASA/firewalls. Hence not sure if I'm missing something on ASA side.
08-07-2012 12:56 PM
Hi Sudeep - thanks for the suggestion - no auto-summary is default on the version of IOS that I am running.
08-07-2012 02:32 PM
Some additional information - the neighbor relationship is flapping - it looks like the initial relationship is established but then each device is unable to pass on any update packets - below shows the Queue Count is non-zero.
on the ASA:
TOWER-FW01# sh eigrp ne
EIGRP-IPv4 neighbors for process 600
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.50.10.1 Et0/3.510 11 00:01:14 1 5000 2 11184
0 10.100.0.253 Et0/1 11 9w0d 4 200 0 8357
on the 3560x:
TOWER-DMZ-01#sh ip eigrp ne
EIGRP-IPv4 Neighbors for AS(600)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.50.10.254 Vl510 14 00:00:18 1 5000 1 0
The ASA is also logging the following error:
Routing failed to locate next hop fro EIGRP from identity:10.50.10.254/0 to FW_TRANSIT:10.50.10.1/0
Another clue - when trying to ping from ASA to 3560x i receive the following:
TOWER-FW01# ping 10.50.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.10.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
I am able to ping from the 3560x to the ASA - I don't know why I cannot ping in the other direction
08-14-2012 11:19 AM
Issue is resolved in another post -
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide