Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
648
Views
0
Helpful
2
Replies

Site to Site VPN EIGRP problem (Migrate from single 5540 firewall to multi-context 5585 firewall).

ohforce55
Level 1
Level 1

‎06-17-2018 07:46 AM - edited ‎03-12-2019 05:22 AM

I had an issue migrating from the single 5540 firewall to the context 5585 firewall.

The configs are the same. The only differences are software version (old one 9.1 and new firewall is 9.7) and the new firewall is a multi-context.. This firewall is for s2s vpn by the way.

 

The first issue I encountered was that I had the cables connected wrong. If you see the file I attached called new context, g0/2 and g0/3 needed to be swapped and this issue was resolved by changing the allocate interfaces.

 

The real problem I had was that eigrp.. We have hub routers connect to the firewall but the eigrp didin't even come up.

 

The below is the output from the Firewall and it seems we were sending out Hello packets but never receiving them on the ASA. 

enc-wups-agg-fasa5585-20x/ExtranetVPN/act# sh eigrp traffic

EIGRP-IPv4 Traffic Statistics for AS(1) context(ExtranetVPN)

 

  Hellos sent/received: 363/0

  Updates sent/received: 0/0

  Queries sent/received: 0/0

  Replies sent/received: 0/0

  Acks sent/received: 0/0

  SIA-Queries sent/received: 0/0

  SIA-Replies sent/received: 0/0

  Hello Process ID: 364353056

  PDM Process ID: 364353984

  Socket Queue:

  Input Queue: 0/2000/0/0 (current/max/highest/drops)

 

  

  enc-wups-agg-fasa5585-20x/ExtranetVPN/act# sh eigrp events

 

Event information for AS 1:

   1 20:13:27.582 Redist rt event: Route Up

   2 20:13:27.582 Redist rt change: 216.99.184.98 255.255.255.255 Rstatic

   3 20:13:27.582 Redist rt event: Route Up

   4 20:13:27.582 Redist rt change: 216.99.184.97 255.255.255.255 Rstatic

   5 20:13:27.582 Redist rt event: Route Up

   6 20:13:27.582 Redist rt change: 216.99.184.96 255.255.255.255 Rstatic

   7 20:13:27.582 Redist rt event: Route Up

   8 20:13:27.582 Redist rt change: 216.99.184.95 255.255.255.255 Rstatic

   9 20:13:27.582 Redist rt event: Route Up

  10 20:13:27.582 Redist rt change: 216.99.184.70 255.255.255.255 Rstatic

  11 20:13:27.582 Redist rt event: Route Up

 

I couldn't find any issue on the configs..... Can anyone help why the eigrp didn't come up?

 

 

 

Please see the attached.

 

The filename new context is the one I copied to. It is one of the contexts on the new firewall.

Sh tech new is the new firewall (system).

Sh tech enc-wups-ex-vpnasa is the old firewall.

 

Labels:
Preview file
53 KB
Preview file
146 KB
Preview file
368 KB
0 Helpful
2 Replies 2

Bogdan Nita
VIP Alumni
VIP Alumni

‎06-18-2018 12:14 AM

Config on the ASA looks ok to me.

Have you tried enabling some debugs like debug eigrp neighbors ?

If you do not see hello messages coming in you should have a look at the neighbor as well.

You could also try using the neighbor command to force unicast instead of multicast.

 

HTH

Bogdan

0 Helpful

ohforce55
Level 1
Level 1
In response to Bogdan Nita

‎06-20-2018 06:27 PM

Thanks for your reply!

The issue was resolved by rebooting the firewall.. I know it's funny.

 

After reloading the firewall, eigrp came up.

 

I'm not sure why.. I don't know it is because I changed the allocate interface?

With the switching of allocate interface, the firewall was in a weird state??

 

Do you have any idea?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents