Solved: ASA Stops sending OSPF hellos

aoshea · ‎02-21-2007

ASA Stops sending OSPF hellos

Dear Support,

Wondering if anyone else has come across this problem, but have two Cisco ASA 5510s ASA V7.2(1), DM V5.2(1) (in active/passive failover configuration). These are connected to a pair of 3750G-48-EMIs in a stack, OSPF is running on both, The ASAs are redistributing the outside, and DMZ interfaces by a defined route-map.

Everything normally works fine, but today I found that the neighbour relationship between the ASAs and 3750s had broke. I tried clearing the OSPF process on both the ASAs and 3750, but this would not resolve the problem. The 3750 would not show the ASAs in the neighbour list, but did have other devices (via a point-to-point link) as FULL state. The ASAs however would show the 3750s as INIT/DROTHER state.

Debugs showed that the ASAs were receiving hellos from the 3750s but was not sending any. The 3750s showed it was sending hellos but not receiving any from the ASAs

To resolve I had to reboot the ASAs. This is not my preferred solution as should not need to do this.

Has anyone else come across this problem, and is there a resolution? Or a bug track id?

Thank you in advance for your assistance.

I always rate helpful replies.

Best regards, Adrian

sundar.palaniappan · ‎02-26-2007

Adrian,

The bug workaround suggests adding static ARP for the neighbor device. Add a static ARP entry for the 3750 on your ASA. The bug only applies to ASA and hence, you shouldn't need a static entry on the 3750.

HTH

Sundar

View solution in original post

sachinraja · ‎02-22-2007

Hello adrian

How frequent does this happen ?? I saw a bug ID CSCsd97134 - PIX/ASA ignores OSPF DBDs during adajency building , but this has been resolved in 7.2(1) , as per the release notes... might be some other issue..

Is the ASA in active-standby or active-active mode ? with active/active routing protocols will have issues... can you post us the configs if possible?

Raj

sundar.palaniappan · ‎02-22-2007

Hi,

Your symptoms seem to indicate you may be affected by this bug. If you are running one of the affected codes then apply the workaround suggested.

CSCsg00914 Bug Details

Headline OSPF neighbors dont form due to corrupted arp entry

Product pix-asa

Feature Unicast Routing Components Duplicate of

Severity 3 Severity help Status Verified Status help

First Found-in Version 7.2(1), 7.0(6) First Fixed-in Version 7.2(2), 7.2(1.26), 7.1(2.30), 7.0(6.10), 8.0(0.111) Version help

Release Notes

Symptom:

OSPF neighbors don't form

Conditions:

show ospf neighbors on the ASA running

7.2.1 displays the neighbors in INIT/DROTHER state.

The ASA may be attempting to send OSPF packets to a MAC address other than the

intended one, though non broadcast is disabled on the interface.

Workaround:

Clear the arp cache on the asa. If clearing the arp does not work, try adding a

static arp entry.

Further Problem Description:

A show arp should list the multicast address on the ASA.

HTH

Sundar

sachinraja · ‎02-22-2007

Hello sundar,

You hit the nail right on the head !!! surprising to see this through bug tool kit, but not included on the release notes of 7.2(1) !!!! I thought the release notes were the most authentic info ever that I will get :)

Cheers

Raj

aoshea · ‎02-26-2007

Hi Sundar,

Many thanks for your assistance, this looks very similar to the problem that happened. I think I found out the root cause of the problem, the DC were changing the power to a metered power system that weekend, and seems the ASAs were booted before the 3750 stack, hence the arp cache corruption.

Currently with the ASAs working, I have the following Mac addresses, which one would you suggest needs to have a static entry;

Inside 192.168.16.3 0018.7317.93fb (the failover asa)

Inside 224.0.0.5 0100.5e00.0005

Inside 192.168.16.1 0019.2f70.8044 (3750 stack).

Inside MAC address 0018.1900.3a3f (the active asa inside address).

Do I need a static arp on the 3750 stack as well, this was sending hellos ok during the problem?

Thanks again for your expert advice.

Best regards, Adrian.

sundar.palaniappan · ‎02-26-2007

Adrian,

The bug workaround suggests adding static ARP for the neighbor device. Add a static ARP entry for the 3750 on your ASA. The bug only applies to ASA and hence, you shouldn't need a static entry on the 3750.

HTH

Sundar