OSPF over IPSEC VPN Problem with ASA 5520's

Unanswered Question

I am having a problem getting OSPF LSA's over an IPSEC VPN tunnel

Our Network Currently has OSPF at the Core in 2 different locations, our main site has a BGP routing based IPVPN (Time Warner MPLS Dedicated Circuit) to our Sister location. This is being redistributed into OSPF on both sides and works well. I want to put in a redundant IPSEC VPN over the internet in the event of a dedicated Circuit meltdown. I have configured the IPSEC VPN and it comes up when I take down the IPVPN circuit, I AM able to pass traffic based on the crypto map traffic ACL's. However I'm unable to get the ASA's on both sides to become adjacent neighbors. As a reuslt I get no routes in my OSPF table to the other side. Debug OSPF shows that I am receiving hellos from our sister site, but our sister site never receives hellos from our main site. At First I thought that maybe I had a a route still being advertised somewhere, and verfied that with the IPVPN Circuit down there are not routes in the routing table. Has anyone ever done OSPF over IPSEC VPN without using a GRE tunnel before?

When you guys have the time please take a look at my OSPF configurations and tell me what I have missed, I have enclosed both ASA configurations, and a WAN map.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dongdongliu Wed, 02/13/2008 - 22:35
User Badges:

what`s the I think it`s a internet access equipment,maybe it`s a ISP. and are both gateway.

because louasa001 and dalasa001 have both set crypto peer:

crypto map Outside_2_map 20 set peer

crypto map Outside_2_map 20 set peer

and there are some default route are configured in the louasa001 and dalasa001,so louasa001 and dalasa001 can find peer each other.

gateway will be in charge of pass traffic.


why network belong to area 0 in the louasa001 but belong to area 1 in the dalasa001?

Good Day Dingdongliu, is the ISP router for the louasa5520.

Default route is being set with the route Outside_2 1 statement in Louasa5520. is a CPE router in the Corp location and is the default router for Dalasa5520. The dalasa5520 has its default route being set by the route Outside_2 1 statement. You are correct; the outside IP's are in DalASA5520 and in LouASA5520, and they are Crypto peers. The VPN does come up when I take down the IPVPN circuit and I am able to pass traffic based on the crypto ACL's without any problems.

As for the being in area 1 in the Dalasa5520, this is a misconfig after trying to push the area 0 to the louasa520. orginally, I had the in Area 1 on the DalASA5520 and all of LouASA5520 was in area 1, nice catch. I have changed on the DalASA5520 to be in area 0,

cleared ospf router7, and will test the failover again, here are the changes to Dalasa5520.

router ospf 7


network area 0

network area 0

network area 0

area 0

neighbor interface Outside_2


default-information originate always metric 1

Thanks for your Reply.


This Discussion