Solved: Re: ASA5525-- Please explain correct Anyconnect integration with EIGRP - Page 2

jmaxwellUSAF · ‎07-14-2023

Hello.

GIVEN:

In the enterprise at three different locations, there exists three ASA5525s, that execute three DIFFERENT Anyconnect instances. Each of these devices is directly connected to a layer-3 switch that is the source of ALL branch-local EIGRP redistributed static routes. RELEVANT: Each of these layer-3 devices has an EIGRP redistributed static route for its neighboring ASA Anyconnect subnet.

On at least one distant routing device, when a worker connects through Anyconnect to the LAN, I notice new /32 (AD = 90) EIGRP routes to his circuit propagated through the enterprise routing devices. These disappear when he logs off.

I also notice EIGRP static redistributed routes (AD=170) from the other Anyconnect subnets. (There may be more than one misconfiguration in this routing architecture.)

---

-I suspect this routing architecture is incorrect. I suspect the correct architecture is to remove these static routes, and instead create directly on each ASA some kind of vanilla EIGRP summary route (AD=90) to its anyconnect subnet.

May you please advise on best/correct way to configure routing for an anyconnect subnet? May you please provide a sample config?

Thank you.

jmaxwellUSAF · ‎07-20-2023

Hi Rob.

"redistribute static metric 500000 1 255 1 1500 << this is redistributing the VPN routes."

So, you are suggesting to remove the above command. RELEVANT: Currently there exists many enterprise VERY CRITICAL static routes in this ASA.

OK, it is true that most of the datacenter routes are installed and propagated from the adjacent layer-3 Nexus switch. It seems to me that a remediation for this situation, that would result in zero network downtime, is to...

1. install (logically copy/paste, though syntax may be different) the existing ASA static routes into the adjacent Nexus, and confirm this configuration is redistributing these static routes throughout the network.

2. Remove the troublesome configuration "redistribute static metric 500000 1 255 1 1500" from the ASA.

3. install previously recommended ASA configuration.

Now, I need to be 100% sure that the above strategy will work, or else this financial enterprise will totally crash. So may you please answer below...

QUESTIONS:

1. When two devices are propagating portions of identical EIGRP routing information, how do the downstream routers handle the redundant routing information?

2. If one of two device stops propagating its portion of this identical EIGRP routing information, what is the results on the downstream routers routing tables?

3. If only the information you have thus far was complete information, would the execution of above strategy result in zero downtime on this network?

Thank you.

jmaxwellUSAF · ‎07-25-2023

Hi Rob.

Configuring Static Routing (cisco.com)

Syntax-- I am applying this config in the ASA adjacent device= Nexus9300 using NX-OS...

---

no ip route 172.16.77.0/24 172.16.1.15

ip route 172.16.77.0/24 null 0 172.16.1.15

---

May you please confirm the above syntax is correct?

Thank you.

Rob Ingram · ‎07-25-2023

@jmaxwellUSAF no that doesn't seem right. I thought the intention was to redistribute the anyconnect route from the ASA to the adjacent devices? Therefore I'd expect the null route (in addition to the other configuration) to be defined on the ASA not the nexus. If 172.16.77.0/24 is the anyconnect network and you define the route above on the nexus switch I imagine (as I do not have a complete understanding of your network) that you'd blackhole your anyconnect user traffic.

jmaxwellUSAF · ‎07-25-2023

I want to host all routing configs on the adjacent Nexus. Will below config work? If not, why not?

(obfuscated)

(Anyconnect subnet is 172.16.77.0/24)
(Existing route maps not shown)

Nexus9300_pri
...
conf t
no ip route 172.16.77.0/24 172.16.1.15
ip route 172.16.77.0/24 null 0 172.16.1.15 !! IS SYNTAX CORRECT? !!
exit

!! confirm new route in config !!
show run | i route
---

conf t
ip prefix-list STAT-TO-EIGRP permit 10.128.5.0/21
ip prefix-list STAT-TO-EIGRP permit 10.128.6.0.0/22
ip prefix-list STAT-TO-EIGRP permit 10.128.7.0/22
---

!! confirm successful list execution. !!...
show ip prefix-list STAT-TO-EIGRP
=====

!! (DO SAME CONFIG AS ABOVE ON SECONDARY NEXUS) !!
=====

ASA5525_pri
...
conf t
no redistribute static metric 500000 1 255 1 1500
======

VALIDATION

Confirm from other devices that routes are redistributing through Nexus’

(Other device-1)
sh ip eigrp topology 10.128.5.0/21 !! Confirm originating routing device is Nexus !!
sh ip route !! confirm at least a few routes from above prefix list are now in route table. !!
---

TASK COMPLETE

jmaxwellUSAF · ‎07-26-2023

(Bump previous query--"I want to host all routing configs on the adjacent Nexus. Will below config work? If not, why not?")

Rob Ingram · ‎07-26-2023

@jmaxwellUSAF your configuration implies you already have a route to the anyconnect network on your nexus already "no ip route 172.16.77.0/24 172.16.1.15" - do not delete it, redistribute it. Removing that route and adding a route to null0 on the nexus is going to blackhole the traffic on the nexus and not route it to the ASA.

jmaxwellUSAF · ‎07-26-2023

If i intend to solve the unwanted flapping of Anyconnect /32 routes as users log in and out, must I configure a Null0 route on exactly the ASA then redistribute that?

I cannot solve this through a config only on the adjacent Nexus that is the source of almost all the network's redistributed static routes?

jmaxwellUSAF · ‎07-27-2023

Hi Rob.

"Your configuration implies you already have a route to the anyconnect network on your nexus already "no ip route 172.16.77.0/24 172.16.1.15" - do not delete it, redistribute it. Removing that route and adding a route to null0 on the nexus is going to blackhole the traffic on the nexus and not route it to the ASA."

but you say...

"Therefore I'd expect the null route (in addition to the other configuration) to be defined on the ASA not the nexus."

QUESTIONS:

1. So then, if I intend to solve the unwanted flapping of Anyconnect /32 routes as users log in and out, must I configure a Null0 route on exactly the ASA then redistribute that?

2. If the answer to 1. is yes, then would it be best (not to proceed as you instructed above, but instead) to REMOVE the existing EIGRP redistributed static route on the adjacent Nexus that points to the Anyconnect subnet (with "# no ip route 172.16.77.0/24 172.16.1.15") because the ASA is now EIGRP redistributing a (Null0) route to the enterprise for all Anyconnect return traffic. ?

Rob Ingram · ‎07-27-2023

@jmaxwellUSAF

1. yes that would work

2. if you remove the static route from the nexus and redistribute the summary route from the ASA the nexus will receive the summary route from the ASA and route anyconnect traffic to the ASA.

If you define a null route on the nexus, traffic for that network is never going to be sent to the ASA. If you define a null route on the ASA and use it for redistribution, the nexus will receive it and traffic will be routed to the ASA, as more specific /32 exist traffic will be routed to the correct anyconnect user. On the ASA it makes no difference whether it's a null route, but it makes a huge difference if using a null route on the nexus.

jmaxwellUSAF · ‎07-27-2023

Hello.

Example of standard ASA syntax...

"route outside 1.1.1.0 255.255.255.0 2.2.2.2"

but...

"route Null0 192.168.15.0 255.255.255.0 !!(no next hop is here!)!!"

QUESTIONS:

1. Why is this command "route Null0 192.168.15.0 255.255.255.0" allowed to lack a destination address? (This looks similar to an EIGRP network config)

(Perhaps I am too used to static routes being for devices with destinations not on the configured device itself, and I have no experience with this simplest config?)

2. Related-- If I redistribute this route via a route map, distribute list, and EIGRP, what will be the next hop IP address for this route on the adjacent routing device? What will be the next hop IP address for this route on the 2 hops downstream routing device?

3. Must I also configure a static route that would advertise this Anyconnect subnet to route to the IP address of the inside interface of this same device-- "route inside 192.168.15.0 255.255.255.0 192.168.1.1" ?

Thank you.

Rob Ingram · ‎07-27-2023

@jmaxwellUSAF there is no next hop address when using a null route. You are just using a null route to advertise the anyconnect summary route and redistribute into EIGRP for the other devices in your network to learn the route is via the ASA, once traffic is routed to the ASA if the anyconnect host is connected the traffic will be routed to the correct anyconnect user.

On the switch directly connected to the ASA the next hop IP address for the anyconnect summary route will be the ASA's inside (or whatever you call it) interface IP address.

No you don't need a route via the inside interface of the ASA (if I recall correctly that's why you had those misleading syslog events in your previous post last month).

jmaxwellUSAF · ‎07-27-2023

OK then.

I just find it strange that the downstream routers many hops away will not have explicit information as to how to get to the Anyconnect subnet-- it seems they are relying on the dynamic configs of neighboring devices, such as the adjacent device gleaning the IP address of the directly connected interface, and using that as the next hop.

Again, with this total config, never am I explicitly stating exactly how the network is getting to the anyconnect subnet.

Do you agree that there is no explicit nework-distributed information as to how remote routers will find this Anyconnect subnet?

ASA5525-- Please explain correct Anyconnect integration with EIGRP?