Cisco Asa 5515 OSPF over IPSEC VPN Tunnel

ifabrizio · ‎11-13-2015

Dear All,

I have two new Asa 5515 IOS version 9.2(2)4, I have setup a VPN tunnel, and it is established.

Firewall A:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 37.78.67.67
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

Firewall B:

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 187.114.235.253
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

Then I have configured OSPF on both the Firewall, and the OSPF neighbors see each other:

Firewall A:

Neighbor ID Pri State Dead Time Address Interface
37.98.67.67 0 FULL/ - 0:00:39 37.98.67.67 outside

router ospf 113
router-id 187.114.235.253
network 37.98.67.64 255.255.255.248 area 113
network 172.26.146.0 255.255.255.0 area 113
network 187.114.235.248 255.255.255.248 area 113
area 113 authentication
neighbor 37.98.67.67 interface outside
log-adj-changes
redistribute connected subnets
redistribute static subnets
distribute-list ospf out static

Firewall B:

Neighbor ID Pri State Dead Time Address Interface
187.114.235.253 1 FULL/ - 0:00:38 187.114.235.253 outside

router ospf 113
router-id 37.98.67.67
network 37.98.67.64 255.255.255.248 area 113
network 172.26.0.0 255.255.252.0 area 113
network 187.114.235.248 255.255.255.248 area 113
area 113 authentication
neighbor 187.114.235.253 interface outside
log-adj-changes
redistribute connected subnets
redistribute static subnets

If I try to add some static routes on both the firewalls I can see the new route in ospf database, but not in the routing table.

I turned on the ospf debug, and I got this error:

OSPF-RIB-GLOBAL: Skip path for X.X.X.X not on subnet of outside

What it means?

I have the same config on two 5505 IOS 8.4 that works well, without any error.

Best regards,

Igor.