I will see if I can lab that

collinsjl · ‎10-08-2014

We have 2 ASA's,

5515X running 9.1(5)

and an old 5510 8.2(5)

There is a switch stack behind each on them on the inside with EIGRP 200 running. I set up EIGRP 200 on both ASA's but the neighbor state does not come up with the Site to Site VPN. What are the steps to allow that to happen.

rc1asa01(config)# sh eigrp neighbors AT&T_1
EIGRP-IPv4 neighbors for process 200
EIGRP not enabled on requested interface

rc1asa01(config)# sh eigrp neighbors
EIGRP-IPv4 neighbors for process 200
H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num
0 10.40.1.1 inside 13 1w1d 1 200 0 10525

Once I get that to work I need to address the backhaul T-1 that goes between the sites and is runing EIGRP 200 as well. I am hopping that once I get the protocol working between the Site to Site VPN the variance will kick in and the route will be selected to go out the SITE to Site VPN with the T-1 as a backup.

Marvin Rhoads · ‎10-08-2014

You can't form a neighbor adjacency on your outside interface since the remote ASA is across your ISP's WAN.

You have to setup static routes with weights and possibly object tracking (ip sla) to accomplish what you're describing.

collinsjl · ‎12-22-2014

There has got to be a work around. If you can get EIGRP up in a GRE tunnel why cant I use the Site to Site VPN to do the same thing?

yamilgazel · ‎12-22-2014

The only workaround you can have is to run OSPF on the WAN link and follow this configuration guide.

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63882-gre-ipsec-ospf.html

With EIGRP the only workaround is encapsulating the packets with GRE and you will need routers for that.

Best Regards,

Yamil

collinsjl · ‎12-29-2014

I will see if I can lab that up. Thanks. Figure they would have a more up to date doc though that covers 9.X and ASDM 7.X

Site to Site VPN and EIGRP