Routing loop issue

craig.juhas · ‎11-13-2009

Hi All,

I'm hoping someone can help with a routing issue I have between a pair of Nexus 7000 switches and a Cisco ASA Firewall.

We have an MPLS WAN linking two sites but have created a backup VPN tunnel in case of failure. Last night there was a fialure but there were issues with routing. Below is the topography between the sites for the backup:

NX7K <-> ASA <-> INTERNET(VPN) <-> ASA <-> Cat6500

On the Cat6500 the summary subnet is 10.10.0.0/16 and on the NX7K is 10.20.0.0/16 (fakes). Under normal circumstances traffic will route over the MPLS using a route picked up via OSPF. I've added a static route at each end pointing to the ASA with a metric of 200 so it will be ignored. If the MPLS goes down the OSPF route disappears and so the static route appears.

On the Cat6500 side the routing works fie and traffic goes to the firewall and then over the VPN tunnel. However on the NX7K side traffic seems to get stuck in a loop between the NX7K and the ASA. When I checked the ASA on the NX7K side I could see it was picking up the OSPF route for the other side from the NX7K, which would explain the loop. When I check the ASA on the Cat6500 side I do not see the route to the other side, which is why there isn't a problem. The Cat6500 is definitely redistributing the static route but the ASA seems to be clever enough to ignore it. However, on the NX7K side it's not ignoring it which means we can't sent traffic over the tunnel.

What do I need to do to make the ASA ignore the redistributed static routes from the NX7K that point to it? Any help would be much appreciated!

Craig

francisco_1 · ‎11-13-2009

Are you running OSPF as well on the ASAs?

craig.juhas · ‎11-13-2009

Yes OSPF is running on the Cat6500, NX7K and ASA Firewalls.

francisco_1 · ‎11-13-2009

"I've added a static route at each end pointing to the ASA with a metric of 200 so it will be ignored. If the MPLS goes down the OSPF route disappears and so the static route appears"

according to your statement above you are running ospf on all devices but you also have a static route to ASAs! if OSPF is enable no need for static roue with higher metric of 200. you just have to cost your links (OSPF cost) and OSPF will detect a failure and route accordingly..

craig.juhas · ‎11-13-2009

I see what you're saying but I'd still need to have a static route in the ASA firewalls anyway to be picked up by the switches.

What I'm more interested in is why it works for the Cat6500 but not the NX7K.

francisco_1 · ‎11-13-2009

do you have configs?

craig.juhas · ‎11-13-2009

I've pasted the relevant parts below (with fake IP's):

NX7K #1:

ip prefix-list static-advs seq 10 permit 10.10.0.0/16

route-map static-to-ospf permit 10

match ip address prefix-list static-advs

router ospf 144

router-id 10.20.255.1

redistribute static route-map static-to-ospf

log-adjacency-changes

summary-address 10.20.0.0/16

auto-cost reference-bandwidth 10000

ip route 10.10.0.0/16 10.20.20.254 200

NX7K #2:

ip prefix-list static-advs seq 10 permit 10.10.0.0/16

route-map static-to-ospf permit 10

match ip address prefix-list static-advs

router ospf 144

router-id 10.20.255.2

redistribute static route-map static-to-ospf

log-adjacency-changes

summary-address 10.20.0.0/16

auto-cost reference-bandwidth 10000

ip route 10.10.0.0/16 10.20.20.254 200

ASA:

router ospf 1

router-id 10.20.20.254

network 10.20.20.0 255.255.255.0 area 0

area 0

log-adj-changes

redistribute connected subnets route-map CONN->OSPF

redistribute static subnets

--- THE OTHER SIDE ---

Cat6500 #1:

router ospf 1

router-id 192.168.90.3

log-adjacency-changes

auto-cost reference-bandwidth 10000

nsf

redistribute static subnets route-map static-to-ospf

route-map static-to-ospf permit 10

match ip address static-advs

ip access-list standard static-advs

permit 10.20.0.0 0.0.255.255

ip route 10.20.0.0 255.255.0.0 10.10.10.254 200

Cat6500 #2:

router ospf 1

router-id 192.168.90.4

log-adjacency-changes

auto-cost reference-bandwidth 10000

nsf

redistribute static subnets route-map static-to-ospf

route-map static-to-ospf permit 10

match ip address static-advs

ip access-list standard static-advs

permit 10.20.0.0 0.0.255.255

ip route 10.20.0.0 255.255.0.0 10.10.10.254 200

ASA:

router ospf 1

router-id 10.10.10.254

network 10.10.10.0 255.255.255.0 area 0

log-adj-changes

redistribute connected subnets route-map CONN->OSPF

francisco_1 · ‎11-13-2009

I have never worked with the NX7K but with dynamic routing enable on the ASA, The NX7K should be aware of 10.10.0.0/16 from it local connected OSPF neighbor (ASA) via the ipsec tunnel (no need for the static route with metric 200) since both ASAs are OSPF neighbors! you just have a default route to the local ASA on both sides. Once OSPF is up, you just need to cost your links to make the ipsec tunnel less prefered!

see this example except no redundant path. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

infact i am going to lab this tonight, get both ipsec & mpls going and test. will let you know the outcome.

craig.juhas · ‎11-13-2009

For some reason I never considered passing the OSPF routing over the VPN tunnel. It's certainly given me food for thought so O'm going to go away and test from my end as well. Thanks for your help.