10-28-2011 03:27 AM - edited 03-07-2019 03:06 AM
Hi, community. I have strange problem between Cisco ASA 5510 with 8.4.2 and Cisco 3825 with IOS 15.0(1)M7 (same with 12.4(15)T15).
asa# sh eigrp neighbors
EIGRP-IPv4 neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.27.6.3 Et0/0 14 00:00:14 1 5000 2 66099
As you can see here two routes in the queue always.
Here is debug eigrp packets update:
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 2, RTO 4500 topoid 0
AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 3, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 4, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 5, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 6, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 7, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 8, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 9, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 10, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 11, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 12, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 13, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 14, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 15, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 16, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Enqueueing UPDATE on Ethernet0/0 nbr 10.27.6.3 topoid 0 iidbQ un/rely 0/1 peerQ un/rely 0/0
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3 topoid 0
AS 65536, Flags 0x1, Seq 6257/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/1
EIGRP: Enqueueing UPDATE on Ethernet0/0 topoid 0 iidbQ un/rely 0/1 serno 1-1
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/1 peerQ un/rely 0/1
EIGRP: Enqueueing UPDATE on Ethernet0/0 nbr 10.27.6.3 topoid 0 iidbQ un/rely 0/0 peerQ un/rely 0/1 serno 1-1
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 1, RTO 3000 topoid 0
AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 2, RTO 4500 topoid 0
AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 3, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 4, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 5, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 6, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 7, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 8, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 9, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 10, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 11, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 12, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 13, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 14, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 15, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 16, RTO 5000 topoid 0
AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2
sh EIGRP: Enqueueing UPDATE on Ethernet0/0 nbr 10.27.6.3 topoid 0 iidbQ un/rely 0/1 peerQ un/rely 0/0
EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3
AS 65536, Flags 0x1, Seq 66099/0 interfaceQ 255/255 iidbQ un/rely 0/1 peerQ un/rely 0/0
EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3 topoid 0
AS 65536, Flags 0x1, Seq 6259/66099 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/1
EIGRP: Enqueueing UPDATE on Ethernet0/0 topoid 0 iidbQ un/rely 0/1 serno 1-1
EIGRP: Enqueueing UPDATE on Ethernet0/0 nbr 10.27.6.3 topoid 0 iidbQ un/rely 0/0 peerQ un/rely 0/1 serno 1-1
On the other side (3825) output looks like this:
3825#sh ip eigrp neighbors G0/0.660
EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
35 10.27.6.1 Gi0/0.660 11 00:00:25 1 5000 1 0
3825#sh ip eigrp interfaces G0/0.660
EIGRP-IPv4 Interfaces for AS(1)
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
Gi0/0.660 1 0/0 0 0/1 50 276
And debug "eigrp packet update" shows this:
t 28 10:15:40.726: AS 1, Flags 0x0:(NULL), Seq 0/66108 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1
Oct 28 10:15:42.002: EIGRP: Sending UPDATE on GigabitEthernet0/0.660 nbr 10.27.6.1, retry 2, RTO 4500 tid 0
Oct 28 10:15:42.002: AS 1, Flags 0x1:(INIT), Seq 66099/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1
Oct 28 10:15:46.502: EIGRP: Sending UPDATE on GigabitEthernet0/0.660 nbr 10.27.6.1, retry 3, RTO 5000 tid 0
Oct 28 10:15:46.502: AS 1, Flags 0x1:(INIT), Seq 66099/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1
Oct 28 10:15:51.503: EIGRP: Sending UPDATE on GigabitEthernet0/0.660 nbr 10.27.6.1, retry 4, RTO 5000 tid 0
Oct 28 10:15:51.503: AS 1, Flags 0x1:(INIT), Seq 66099/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1
Oct 28 10:15:56.503: EIGRP: Sending UPDATE on GigabitEthernet0/0.660 nbr 10.27.6.1, retry 5, RTO 5000 tid 0
Oct 28 10:15:56.503: AS 1, Flags 0x1:(INIT), Seq 66099/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1
Oct 28 10:16:01.503: EIGRP: Sending UPDATE on GigabitEthernet0/0.660 nbr 10.27.6.1, retry 6, RTO 5000 tid 0
Oct 28 10:16:01.503: AS 1, Flags 0x1:(INIT), Seq 66099/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1
Oct 28 10:16:06.503: EIGRP: Sending UPDATE on GigabitEthernet0/0.660 nbr 10.27.6.1, retry 7, RTO 5000 tid 0
Oct 28 10:16:06.503: AS 1, Flags 0x1:(INIT), Seq 66099/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1
Oct 28 10:16:11.503: EIGRP: Sending UPDATE on GigabitEthernet0/0.660 nbr 10.27.6.1, retry 8, RTO 5000 tid 0
Oct 28 10:16:11.503: AS 1, Flags 0x1:(INIT), Seq 66099/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1
Oct 28 10:16:16.503: EIGRP: Sending UPDATE on GigabitEthernet0/0.660 nbr 10.27.6.1, retry 9, RTO 5000 tid 0
Oct 28 10:16:16.503: AS 1, Flags 0x1:(INIT), Seq 66099/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1
Oct 28 10:16:21.503: EIGRP: Sending UPDATE on GigabitEthernet0/0.660 nbr 10.27.6.1, retry 10, RTO 5000 tid 0
Oct 28 10:16:21.503: AS 1, Flags 0x1:(INIT), Seq 66099/0 interfaceQ 1/0 iidbQ un/rely 0/0 peerQ un/rely 0/1
Oct 28 10:16:26.503: EIGRP: Sending UPDATE on GigabitEthernet0/0.660 nbr 10.27.6.1, retry 11, RTO 5000 tid 0
Oct 28 10:16:26.503: AS 1, Flags 0x1:(INIT), Seq 66099/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1
Oct 28 10:16:31.503: EIGRP: Sending UPDATE on GigabitEthernet0/0.660 nbr 10.27.6.1, retry 12, RTO 5000 tid 0
Oct 28 10:16:31.503: AS 1, Flags 0x1:(INIT), Seq 66099/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1
Oct 28 21:16:56 KHB: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.27.6.1 (GigabitEthernet0/0.660) is down: Interface PEER-TERMINATION received
Oct 28 21:16:57 KHB: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.27.6.1 (GigabitEthernet0/0.660) is up: new adjacency
Oct 28 21:18:16 KHB: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.27.6.1 (GigabitEthernet0/0.660) is down: Interface PEER-TERMINATION received
Oct 28 21:18:20 KHB: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.27.6.1 (GigabitEthernet0/0.660) is up: new adjacency
From router I can ping ASA:
3825#ping 10.27.6.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.27.6.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
BUT I CAN'T FROM ASA! That's strange because there is no control-plane access-lists.
asa# ping 10.27.6.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.27.6.3, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
There is only 3750G switch between them. No kind of VACL or mac address-lists configured on facing ports.
Interesting that I have another pair of 3825-asa with similar configuration plugged into the same switch in another vlan between them and they have no such issue.
Please suggest that to check? How to troubleshoot? Troubleshooting steps?
Another question is regarding debug output on ASA. Why I can see there AS65536 although my AS is 1?
11-03-2011 04:29 AM
Can you post your eigrp and interface config from both devices?
11-03-2011 04:58 AM
Hi
Is the ASA a brand new one? or has it been in productino for sometime. When did you start noticing these alarms.?
What changes were done prior to seeing these alarms?
Maybe its a bug or something. Maybe try to remove the config and put it back again on the ASA. Have you tried to reload the box?
Also, in my honest opinion try avoiding to use the AS number like 1 or far end. Try something in the middle.
HTH
Kishore
11-03-2011 05:26 AM
Hi, All!
ASA was brand new device. This devices was placed to production network, so another AS number can't be used. There is no problem with eigrp configuration I think, devices was already restarted several times, although here is configuration:
ASA:
sh running-config router eigrp
!
router eigrp 1
no auto-summary
network 10.27.6.0 255.255.255.0
passive-interface default
no passive-interface inside
redistribute static metric 100000 1000 255 1 1514 route-map REDIST_RRI_RMAP
!
3825:
router eigrp 1
distribute-list route-map EIGRP_FILTER_BGP_RMAP in GigabitEthernet0/0.167
distribute-list prefix valid_regional_routes in Tunnel98
default-metric 100000 1000 255 1 1514
network 10.0.8.0 0.0.3.255
network 10.16.0.0 0.15.255.255
network 10.27.2.0 0.0.0.255
network 10.27.3.64 0.0.0.63
network 10.27.6.0 0.0.0.255
network 10.156.0.0 0.0.255.255
network 172.16.248.0 0.0.3.255
redistribute bgp 65535 route-map REDIST_BGP_TAG_RMAP
redistribute rip
offset-list EIGRP_OFFCET_ACL in 15000000 GigabitEthernet0/0.167
passive-interface default
no passive-interface Tunnel98
no passive-interface GigabitEthernet0/0.167
no passive-interface GigabitEthernet0/0.660
11-03-2011 05:36 AM
Hi,
Can you post the config of ASA for the trunk to 3825 and for the ACLs applied inbound or outbound on inside interface.
Is there a switch in betwenn and if so post config of the switch also
Regards.
Alain.
11-03-2011 05:53 AM
sw-01#sh vlan id 660
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
660 ASA2_Inside active Gi1/0/20, Gi2/0/2
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
660 enet 100660 1500 - - - - - 0 0
Remote SPAN VLAN
----------------
Disabled
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
sw-01#sh run int Gi1/0/20
Building configuration...
Current configuration : 271 bytes
!
interface GigabitEthernet1/0/20
description *** to G0/0 CO2 ***
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 167,300,507,537,660,666,702,737
switchport mode trunk
rmon collection history 10120 owner campusmanager buckets 10 interval 300
end
sw-01#sh run int Gi2/0/2
Building configuration...
Current configuration : 105 bytes
!
interface GigabitEthernet2/0/2
description *** asa-02 Inside ***
switchport access vlan 660
end
sh running-config interface E0/0
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.27.6.1 255.255.255.0
Here is ACLs:
access-list inside_access_in extended permit ip object PROXY_INT any
access-list inside_access_in extended permit ip object CLC_RT_02_INT any
access-list inside_access_in extended permit ip object-group RFC1918 object REGION_NETS
access-list inside_access_in extended permit ip object DC01_INT any
access-list inside_access_in extended permit ip object DC02_INT any
access-list inside_access_in extended permit ip object KHB-NOC_INT any
access-list inside_access_in extended permit tcp object REGION_NETS object shop object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit tcp object REGION_NETS object shop eq ftp
access-list inside_access_in extended permit tcp object-group IT_PCs_INT any eq ssh
access-list inside_access_in extended permit tcp object-group IT_PCs_INT any eq telnet
access-list inside_access_in extended permit object HTTP object-group IT_Priv_INT any
access-list inside_access_in extended permit object HTTPS object-group IT_Priv_INT any
access-list inside_access_in extended permit tcp object REGION_NETS object-group SB_EXT eq https
access-list inside_access_in extended permit tcp object REGION_NETS object-group SB_EXT object-group SBER_PORT_667
access-list inside_access_in extended permit object SBER_PORT_670 object REGION_NETS object-group SB_EXT
access-list inside_access_in extended permit object RADMIN object-group IT_PCs_INT any
access-list inside_access_in extended permit object SBER_PORT_666 object REGION_NETS object-group SB_EXT
access-list inside_access_in extended permit ip object REGION_NETS object VPN.mrdv.
access-list inside_access_in extended deny ip object ROZN_Nets object-group RUSSTANDART_EXT
access-list inside_access_in extended permit ip object REGION_NETS object-group RUSSTANDART_EXT
access-list inside_access_in extended permit object RDP object-group IT_PCs_INT any
access-list inside_access_in extended permit object VNC object-group IT_PCs_INT any
access-list inside_access_in extended permit tcp object REGION_NETS object SBERBANK_BONUS eq 10443
access-list inside_access_in extended permit ip object WIFI_GUEST any
access-list global_access extended permit icmp object REGION_NETS any
access-list global_access extended permit ip object REGION_NETS object-group RFC1918
11-03-2011 06:01 AM
Hi,
on your switch is interface GigabitEthernet1/0/20 connected to the router?
You configured this switchport as a trunk link but in the show vlan output it appears so it can't be a trunk port but an access port.
Can you provide sh int g1/0/20 switchport output.
Regards.
Alain.
11-03-2011 06:11 AM
Yes, it connected to the router and it is in trunk mode.
It was already posted...
Once again:
sw-01#sh run int Gi1/0/20
Building configuration...
Current configuration : 271 bytes
!
interface GigabitEthernet1/0/20
description *** to G0/0 CO2 ***
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 167,300,507,537,660,666,702,737
switchport mode trunk
rmon collection history 10120 owner campusmanager buckets 10 interval 300
end
As I already said it is ok since another pair or 3825 - asa is working with almost same config thoriugth this switch, but in another vlan.
11-03-2011 06:24 AM
Hi,
Yes it is configured as a trunk but is it a trunk ? Because in the show vlan output only access ports should be appearing not trunk ports so could you verify it is indeed a trunk with the sh interface trunk command or sh interface g1/0/20 switchport.
Alain.
11-03-2011 06:27 AM
Alain, you are wrong. "show vlan" shows only access-ports, "show vlan id" show all associated ports.
sw-01#sh interface g1/0/20 switchport
Name: Gi1/0/20
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: 167,300,507,537,660,666,702,737
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
11-03-2011 06:31 AM
Hi Eugene,
So much for me. I had never noticed it before , thanks for the info.
So let's peek again at your problem
Regards.
Alain.
11-03-2011 06:28 AM
First thing that I see is that you have auto summarization on on your 3825 and it's turned off on your ASA....
John
11-03-2011 06:31 AM
John, you are wrong. In 15.0 IOS no auto-summary is a default and not displayed in configuration. BTW it will not prevent routes exchange between peers. Although thank you for notice.
11-03-2011 06:52 AM
Hi,
Can you do a SPAN session to mirror traffic on the interface connected to ASA and another one for traffic on the interface going to router.
Alain.
11-03-2011 06:55 AM
Hi! It is very problematic since it is very remote site and moreover there is only one server with virtual machines on that.
UPDATE: But I was able to make packet capture on ASA itself. Here is results:
118 packets captured 1: 00:01:57.403284 10.27.6.3 > 224.0.0.10: ip-proto-88, length 52 2: 00:01:57.492619 10.27.6.1 > 224.0.0.10: ip-proto-88, length 52 3: 00:01:58.123147 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 4: 00:02:02.191182 10.27.6.3 > 224.0.0.10: ip-proto-88, length 52 5: 00:02:02.402338 10.27.6.1 > 224.0.0.10: ip-proto-88, length 52 6: 00:02:03.123269 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 7: 00:02:07.102045 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 8: 00:02:07.131005 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 9: 00:02:08.123345 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 10: 00:02:11.755042 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 11: 00:02:12.041745 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 12: 00:02:13.123437 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 13: 00:02:16.335172 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 14: 00:02:16.801411 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 15: 00:02:18.123513 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 16: 00:02:20.907255 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 17: 00:02:21.291153 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 18: 00:02:23.123544 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 19: 00:02:25.219303 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 20: 00:02:26.050885 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 21: 00:02:28.123696 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 22: 00:02:30.011397 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 23: 00:02:30.840532 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 24: 00:02:33.123788 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 25: 00:02:34.723488 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 26: 00:02:35.214283 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 27: 00:02:38.123879 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 28: 00:02:39.107568 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 29: 00:02:39.500019 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 30: 00:02:43.124032 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 31: 00:02:43.967677 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 32: 00:02:44.089762 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 33: 00:02:48.124062 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 34: 00:02:48.403802 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 35: 00:02:48.889434 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 36: 00:02:52.747809 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 37: 00:02:53.124169 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 38: 00:02:53.389170 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 39: 00:02:57.559892 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 40: 00:02:58.124276 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 41: 00:02:58.358868 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 42: 00:03:02.500141 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 43: 00:03:03.008605 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 44: 00:03:03.118600 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 45: 00:03:06.777807 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 46: 00:03:06.778524 10.27.6.1 > 224.0.0.10: ip-proto-88, length 52 47: 00:03:06.780477 10.27.6.3 > 224.0.0.10: ip-proto-88, length 52 48: 00:03:06.784245 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 49: 00:03:08.784444 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 50: 00:03:11.604445 10.27.6.3 > 224.0.0.10: ip-proto-88, length 52 51: 00:03:11.638059 10.27.6.1 > 224.0.0.10: ip-proto-88, length 52 52: 00:03:11.784474 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 53: 00:03:16.207798 10.27.6.1 > 224.0.0.10: ip-proto-88, length 52 54: 00:03:16.284592 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 55: 00:03:16.580490 10.27.6.3 > 224.0.0.10: ip-proto-88, length 52 56: 00:03:20.597503 10.27.6.1 > 224.0.0.10: ip-proto-88, length 52 57: 00:03:21.284653 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 58: 00:03:21.564637 10.27.6.3 > 224.0.0.10: ip-proto-88, length 52 59: 00:03:25.157248 10.27.6.1 > 224.0.0.10: ip-proto-88, length 52 60: 00:03:26.208744 10.27.6.3 > 224.0.0.10: ip-proto-88, length 52 61: 00:03:26.284790 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 62: 00:03:29.466955 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 63: 00:03:30.672542 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 64: 00:03:31.284851 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 65: 00:03:33.736686 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 66: 00:03:35.344678 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 67: 00:03:36.284958 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 68: 00:03:38.106455 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 69: 00:03:40.152717 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 70: 00:03:41.285263 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 71: 00:03:43.046155 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 72: 00:03:44.777623 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 73: 00:03:46.285126 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 74: 00:03:47.485860 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 75: 00:03:49.752860 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 76: 00:03:51.285202 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 77: 00:03:52.125588 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 78: 00:03:54.408960 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 79: 00:03:56.285416 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 80: 00:03:56.585296 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 81: 00:03:58.701044 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 82: 00:04:01.235034 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 83: 00:04:01.285477 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 84: 00:04:03.129128 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 85: 00:04:05.964687 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 86: 00:04:06.285522 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 87: 00:04:07.493199 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 88: 00:04:10.314467 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 89: 00:04:11.285660 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 90: 00:04:12.137322 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 91: 00:04:14.964137 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 92: 00:04:16.285721 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 93: 00:04:16.973384 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 94: 00:04:19.533877 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 95: 00:04:21.285812 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 96: 00:04:21.825427 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 97: 00:04:23.973597 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 98: 00:04:26.273499 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 99: 00:04:26.365581 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 100: 00:04:26.366283 10.27.6.1 > 224.0.0.10: ip-proto-88, length 52 101: 00:04:26.369838 10.27.6.3 > 224.0.0.10: ip-proto-88, length 52 102: 00:04:26.373698 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 103: 00:04:28.374080 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 104: 00:04:30.863190 10.27.6.1 > 224.0.0.10: ip-proto-88, length 52 105: 00:04:30.885909 10.27.6.3 > 224.0.0.10: ip-proto-88, length 52 106: 00:04:31.373988 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 107: 00:04:35.361965 10.27.6.3 > 224.0.0.10: ip-proto-88, length 52 108: 00:04:35.822879 10.27.6.1 > 224.0.0.10: ip-proto-88, length 52 109: 00:04:35.874085 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 110: 00:04:39.766073 10.27.6.3 > 224.0.0.10: ip-proto-88, length 52 111: 00:04:40.122659 10.27.6.1 > 224.0.0.10: ip-proto-88, length 52 112: 00:04:40.874115 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 113: 00:04:44.050214 10.27.6.3 > 224.0.0.10: ip-proto-88, length 52 114: 00:04:45.062374 10.27.6.1 > 224.0.0.10: ip-proto-88, length 52 115: 00:04:45.874207 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 116: 00:04:48.577973 10.27.6.3 > 224.0.0.10: ip-proto-88, length 40 117: 00:04:49.362072 10.27.6.1 > 224.0.0.10: ip-proto-88, length 40 118: 00:04:50.874313 10.27.6.3 > 10.27.6.1: ip-proto-88, length 20 118 packets shown
UPDATE2:
Almost the same situation with 3825. I performed embeded packet capture and it also recieves hello messages, sends hello, sends updates, but here is no updates recieved!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide