Re: Redistributing dynamically created routes for vpn users into OSPF

ivanov.arseniy · ‎04-05-2014

Hello, community!

I'm working on what seems to be a simple task and i'm sad to admin but i need your help.

I have ASA5505 (running 9.0.3 software) which provides remote access to all kind of inside resources of the company where i currently work. As remote user gets connected ASA puts what seems to be a static route into routing table with /32 mask. My initial plan was to redistribute these routes into OSPF or EIGRP to send over to the core switch, but something is not right either with my plan or my implementation.

Let's say i decided to go with EIGRP (of course), here is what i do:

i create prefix list which would describe all possible routes for vpn users:

prefix-list VPN-USERS permit 192.168.100.0/24 ge 32

i create route-map to match on this prefix-list:

route-map VPN-REDIST per 10

match ip add prefix-list VPN-USERS

i redistribute dynamic "static" routes into EIGRP while allowing only specific prefixes

router eigrp 100

redistribute static route-map VPN-REDIST metric 10000 1000 255 1 1500

Well, guess what? That doesn't work. Although redistribution works for other real static routes that i have configured on ASA if i remove route-map from redistribution, these vpn routes fail to be sent over to the core switch.

Any thoughts?

Best regards, Arseniy S. Ivanov

Marcin Latosiewicz · ‎04-05-2014

A more efficient way (and saving amount of prefixes) is to advertise a summary route for your local IP pools.

Try with ACL instead of prefix-list too, just in case :-)

ivanov.arseniy · ‎04-05-2014

I sort of solved the problem by creating static route on the core switch, which is more then o'k with me, it's just i wanted to know what's wrong with redistributing these /32s. :)

Best regards, Arseniy S. Ivanov

Marcin Latosiewicz · ‎04-05-2014

Well for starters:
https://tools.cisco.com/bugsearch/bug/CSCtg95852/?reffering_site=dumpcr

hence I suggested using ACLs ;]

ivanov.arseniy · ‎04-05-2014

just tried. negative.

Checking ACL

asa-vpn# show access-list VPN-CLIENTS
access-list VPN-CLIENTS; 1 elements; name hash: 0x1d86a566
access-list VPN-CLIENTS line 1 standard permit 192.168.100.0 255.255.255.0 (hitcnt=0) 0x5ab80128

Checkig route-map

asa-vpn# show route-map VPN_CLIENTS
route-map VPN_CLIENTS, permit, sequence 10
Match clauses:
ip address (access-lists): VPN-CLIENTS
Set clauses:

Checking EIGRP config

asa-vpn# show run router ei
router eigrp 100
eigrp router-id 192.168.6.254
network 192.168.6.254 255.255.255.255
redistribute static metric 100000 1000 255 1 1500 route-map VPN_CLIENTS

Checking EIGRP neighbors

asa-vpn# show eigrp nei
EIGRP-IPv4 neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.6.1 Vl16 12 00:07:57 1 200 0 1

Checking vpn routes

asa-vpn# show route outside 192.168.100.0

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 78.72.13.1 to network 0.0.0.0

S 192.168.100.1 255.255.255.255 [1/0] via 78.72.13.1, outside

Checking EIGRP topology

asa-vpn# show eigrp topo

EIGRP-IPv4 Topology Table for AS(100)/ID(192.168.6.254)

Codes: P - Passive, A - Active, U - Update, Q

Redistributing dynamically created routes for vpn users into OSPF or EIGRP