11-13-2009 03:03 AM - edited 03-06-2019 08:35 AM
Hi All,
I'm hoping someone can help with a routing issue I have between a pair of Nexus 7000 switches and a Cisco ASA Firewall.
We have an MPLS WAN linking two sites but have created a backup VPN tunnel in case of failure. Last night there was a fialure but there were issues with routing. Below is the topography between the sites for the backup:
NX7K <-> ASA <-> INTERNET(VPN) <-> ASA <-> Cat6500
On the Cat6500 the summary subnet is 10.10.0.0/16 and on the NX7K is 10.20.0.0/16 (fakes). Under normal circumstances traffic will route over the MPLS using a route picked up via OSPF. I've added a static route at each end pointing to the ASA with a metric of 200 so it will be ignored. If the MPLS goes down the OSPF route disappears and so the static route appears.
On the Cat6500 side the routing works fie and traffic goes to the firewall and then over the VPN tunnel. However on the NX7K side traffic seems to get stuck in a loop between the NX7K and the ASA. When I checked the ASA on the NX7K side I could see it was picking up the OSPF route for the other side from the NX7K, which would explain the loop. When I check the ASA on the Cat6500 side I do not see the route to the other side, which is why there isn't a problem. The Cat6500 is definitely redistributing the static route but the ASA seems to be clever enough to ignore it. However, on the NX7K side it's not ignoring it which means we can't sent traffic over the tunnel.
What do I need to do to make the ASA ignore the redistributed static routes from the NX7K that point to it? Any help would be much appreciated!
Craig
11-13-2009 03:08 AM
Are you running OSPF as well on the ASAs?
11-13-2009 03:10 AM
Yes OSPF is running on the Cat6500, NX7K and ASA Firewalls.
11-13-2009 03:13 AM
"I've added a static route at each end pointing to the ASA with a metric of 200 so it will be ignored. If the MPLS goes down the OSPF route disappears and so the static route appears"
according to your statement above you are running ospf on all devices but you also have a static route to ASAs! if OSPF is enable no need for static roue with higher metric of 200. you just have to cost your links (OSPF cost) and OSPF will detect a failure and route accordingly..
11-13-2009 03:51 AM
I see what you're saying but I'd still need to have a static route in the ASA firewalls anyway to be picked up by the switches.
What I'm more interested in is why it works for the Cat6500 but not the NX7K.
11-13-2009 04:07 AM
do you have configs?
11-13-2009 04:39 AM
I've pasted the relevant parts below (with fake IP's):
NX7K #1:
ip prefix-list static-advs seq 10 permit 10.10.0.0/16
route-map static-to-ospf permit 10
match ip address prefix-list static-advs
router ospf 144
router-id 10.20.255.1
redistribute static route-map static-to-ospf
log-adjacency-changes
summary-address 10.20.0.0/16
auto-cost reference-bandwidth 10000
ip route 10.10.0.0/16 10.20.20.254 200
NX7K #2:
ip prefix-list static-advs seq 10 permit 10.10.0.0/16
route-map static-to-ospf permit 10
match ip address prefix-list static-advs
router ospf 144
router-id 10.20.255.2
redistribute static route-map static-to-ospf
log-adjacency-changes
summary-address 10.20.0.0/16
auto-cost reference-bandwidth 10000
ip route 10.10.0.0/16 10.20.20.254 200
ASA:
router ospf 1
router-id 10.20.20.254
network 10.20.20.0 255.255.255.0 area 0
area 0
log-adj-changes
redistribute connected subnets route-map CONN->OSPF
redistribute static subnets
--- THE OTHER SIDE ---
Cat6500 #1:
router ospf 1
router-id 192.168.90.3
log-adjacency-changes
auto-cost reference-bandwidth 10000
nsf
redistribute static subnets route-map static-to-ospf
route-map static-to-ospf permit 10
match ip address static-advs
ip access-list standard static-advs
permit 10.20.0.0 0.0.255.255
ip route 10.20.0.0 255.255.0.0 10.10.10.254 200
Cat6500 #2:
router ospf 1
router-id 192.168.90.4
log-adjacency-changes
auto-cost reference-bandwidth 10000
nsf
redistribute static subnets route-map static-to-ospf
route-map static-to-ospf permit 10
match ip address static-advs
ip access-list standard static-advs
permit 10.20.0.0 0.0.255.255
ip route 10.20.0.0 255.255.0.0 10.10.10.254 200
ASA:
router ospf 1
router-id 10.10.10.254
network 10.10.10.0 255.255.255.0 area 0
log-adj-changes
redistribute connected subnets route-map CONN->OSPF
11-13-2009 05:35 AM
I have never worked with the NX7K but with dynamic routing enable on the ASA, The NX7K should be aware of 10.10.0.0/16 from it local connected OSPF neighbor (ASA) via the ipsec tunnel (no need for the static route with metric 200) since both ASAs are OSPF neighbors! you just have a default route to the local ASA on both sides. Once OSPF is up, you just need to cost your links to make the ipsec tunnel less prefered!
see this example except no redundant path. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml
infact i am going to lab this tonight, get both ipsec & mpls going and test. will let you know the outcome.
11-13-2009 06:54 AM
For some reason I never considered passing the OSPF routing over the VPN tunnel. It's certainly given me food for thought so O'm going to go away and test from my end as well. Thanks for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide