Solved: Re: EIGRP relationship

Maurice Ball · ‎05-10-2013

I am having issues running the eigrp routing protocol between my router and ASA firewall. The relationship between the two devices keeps resetting every 5 minutes. I can not determine what is causing the problem. The relationship between the other eigrp neighbors that are connected to the router is working fine. Any help would be greatly appreciated.

Note: The firewall is configured in a failover cluster.

EIGRP-IPv4 Neighbors for AS(10)

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 10.21.10.5 Gi0/0 14 00:02:57 1 100 0 939162

4 10.10.17.3 Tu10 14 01:17:05 21 132 0 2570

3 10.21.118.100 Gi0/0 12 01:17:17 1 100 0 16310

2 10.21.81.101 Gi0/0 14 01:17:17 1 100 0 13111

1 10.21.84.10 Gi0/0 14 01:17:17 1 100 0 208135

paul driver · ‎05-10-2013

Hello

I see that you have auto-summarisation enabled on the router and disabled on the ASA.

Depending on what IOS train your are using - any neighbor change would be logged - under the eigrp process of the router

router eigrp xx

eigrp log-neighbor-change

no auto-summary

Then can you post these logs of the neighbor resetting?

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paulstone80 · ‎05-10-2013

Hi,

How have you got the neighborship configured? Have you set the neighbors statically or are you using dynamic neighbor discovery?

Are you using authentication at all?

HTH

Paul

****Please rate useful posts****

HTH Paul ****Please rate useful posts****

Maurice Ball · ‎05-10-2013

No, authentication.

eigrp config on router

router eigrp 10

network 10.0.0.0

passive-interface default

no passive-interface Tunnel10

no passive-interface GigabitEthernet0/0

eirgp config on ASA

router eigrp 10

no auto-summary

network 10.0.0.0 255.0.0.0

redistribute connected

redistribute static

paulstone80 · ‎05-10-2013

Hi Maurice,

Your network statement on the ASA should be using a wildcard mask.

HTH

Paul

****Please rate useful posts****

HTH Paul ****Please rate useful posts****

Maurice Ball · ‎05-10-2013

Yes, that is what i was thinking but the ASA allows only the following:

fw01# config t

fw01(config)# rout

fw01(config)# router eigrp 10

fw01(config-router)# net

fw01(config-router)# network 10.2.8.8 ?

router mode commands/options:

Hostname or A.B.C.D Mask for network address

eidfw01(config-router)# network 10.2.8.8

paulstone80 · ‎05-10-2013

Does it not allow network 10.0.0.0 0.0.0.255 ??

HTH

Paul

****Please rate useful posts****

HTH Paul ****Please rate useful posts****

paulstone80 · ‎05-10-2013

Sorry, I meant network 10.0.0.0 0.255.255.255

HTH

Paul

****Please rate useful posts****

HTH Paul ****Please rate useful posts****

Maurice Ball · ‎05-10-2013

The ASA requires a network mask not a wild card mask.

Hostname or A.B.C.D Mask for network address

fw01(config)# router eigrp 10

fw01(config-router)# net

fw01(config-router)# network 10.0.0.0 0.255.255.255

% EIGRP: Invalid mask (discontiguous)

paul driver · ‎05-10-2013

Hello

I see that you have auto-summarisation enabled on the router and disabled on the ASA.

Depending on what IOS train your are using - any neighbor change would be logged - under the eigrp process of the router

router eigrp xx

eigrp log-neighbor-change

no auto-summary

Then can you post these logs of the neighbor resetting?

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Maurice Ball · ‎05-10-2013

ok thanks I will add it.

Maurice Ball · ‎05-11-2013

I've noticed that when I ping EIGRP multicast address 224.0.0.10. I get a reply from all of the eigrp devices except for the firewall.

eiddmvpn#ping 224.0.0.10

Type escape sequence to abort.

Sending 1, 100-byte ICMP Echos to 224.0.0.10, timeout is 2 seconds:

Reply to request 0 from 10.2.8.10, 4 ms

Reply to request 0 from 10.0.117.3, 28 ms

Reply to request 0 from sw (10.2.8.100), 4 ms

Reply to request 0 from sw2 (10.2.8.101), 4 ms

The firewall address is: 10.2.8.5

When I ping the multicast address from the firewall there are no replies received.

Could this be what is causing the problem?

paul driver · ‎05-11-2013

can you clarify first if your eigrp relationship.is now working ?

then can you clarify the configuration of the inside interface pointing to the router on the asa - should be something like:

int xx
nameif inside
security level 100
ip address 10.x.x.x y.y.y

also do.you have any acls defined?

res
paul

Sent from Cisco Technical Support Android App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Maurice Ball · ‎05-11-2013

firewall interface:

interface Port-channel1.18

vlan 80

nameif inside

security-level 50

ip address 10.2.8.5 255.255.255.0 standby 10.2.8.6

Router interface:

interface GigabitEthernet0/0

description Linknet

ip address 10.2.8.8 255.255.255.0