ASA 5520 Advertising Internal Routes

Unanswered Question
Nov 23rd, 2009

About a week ago our ASA 5520s bounced for some unknown reason. Since then the ASA has been advertising it's defined internal

routes back into the network. The result is that the routing tables inside the LAN now have each network advertized twice. The internal

routes coming from the ASA are shown as external routes summarized at a higher level, see below. Has anyone seen this before?

Is there a config item on the ASA that is causing this to happen?

C        168.28.216.0/24 is directly connected, Vlan129

D EX   168.28.216.0/21 [170/3072] via 192.168.10.10, Vlan90

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 11/23/2009 - 06:43

rickmeier wrote:

About a week ago our ASA 5520s bounced for some unknown reason. Since then the ASA has been advertising it's defined internal

routes back into the network. The result is that the routing tables inside the LAN now have each network advertized twice. The internal

routes coming from the ASA are shown as external routes summarized at a higher level, see below. Has anyone seen this before?

Is there a config item on the ASA that is causing this to happen?

C        168.28.216.0/24 is directly connected, Vlan129

D EX   168.28.216.0/21 [170/3072] via 192.168.10.10, Vlan90

Rick

Well it might be a config issue but need more details.

Is the ASA participating in EIGRP with the internal routers ?

If so can we have the EIGRP config off the ASA + the full routing table of the ASA + the routing table off one of the internal routers.


Jon

Rick Meier Mon, 11/23/2009 - 07:06

Jon,

   The ASA is participating in EIGRP with the internal routers. I'll post the routing tables. One quick note, the ASA has entries in

the routing table that shows a subnet learned via EIGRP and as a static, see below.

Protocol         Type     Destination IP        Netmask/Prefix length       Gateway           Interface     [AD/Metric]

EIGRP                       168.28.216.0          255.255.255.0                   192.168.10.9     inside        [90/3072]

STATIC                      168.28.216.0          255.255.248.0                   192.168.10.9     inside        [1/0]

Jon Marshall Mon, 11/23/2009 - 07:21

rickmeier wrote:

Jon,

   The ASA is participating in EIGRP with the internal routers. I'll post the routing tables. One quick note, the ASA has entries in

the routing table that shows a subnet learned via EIGRP and as a static, see below.

Protocol         Type     Destination IP        Netmask/Prefix length       Gateway           Interface     [AD/Metric]

EIGRP                       168.28.216.0          255.255.255.0                   192.168.10.9     inside        [90/3072]

STATIC                      168.28.216.0          255.255.248.0                   192.168.10.9     inside        [1/0]

Rick

The static entry in the routing table - is there a static route entry in the ASA config ? ie.

route (inside) 168.28.216.0 255.255.248.0 192.168.10.9

If there is, is there any reason for it ie. does the ASA actually need to participate in EIGRP or would this summary static route handle all the internal networks. If it did then the only other reason i could see for the ASA participating in EIGRP would be to advertise it's DMZ subnets back to your internal routers. Is this what is happening ?

Jon

Rick Meier Mon, 11/23/2009 - 11:44

Jon,

    Yes there are a number of static inside routes that cover all of the internal LAN. I was able to SSH into the ASA, this

was my first involvement with these firewalls, I found that not only is the EIGRP participating with the internal LAN EIGRP

but there is also a redistribute static statement. Which I suspect is the cause of this issue. My conundrum is why did

these duplicate routes appear only after the ASA bounced. They had not been there prior to the bounce.

See attached for routing table and EIGRP config and statics.

Rick

Jon Marshall Mon, 11/23/2009 - 12:34

rickmeier wrote:

Jon,

    Yes there are a number of static inside routes that cover all of the internal LAN. I was able to SSH into the ASA, this

was my first involvement with these firewalls, I found that not only is the EIGRP participating with the internal LAN EIGRP

but there is also a redistribute static statement. Which I suspect is the cause of this issue. My conundrum is why did

these duplicate routes appear only after the ASA bounced. They had not been there prior to the bounce.

See attached for routing table and EIGRP config and statics.

Rick

Rick

There is no attachement

That aside, i think a more relevant question is why did they only turn up after the ASA had been bounced ie. if you have a redistribute static on the ASA and it has formed a neighborship with an internal LAN router they should have been there already.

Note also that they are not duplicate routes, if they were i suspect the ASA routes would not show up. The ASA is sending a summarised route entry and although this includes the internal subnets it is considered a different route because it has a different prefix length so it too will be installed in the internal routers routing table.

So, as i say, it's more a mystery of why they weren't there in the first place.

It's difficult to say without the full topology but if the ASA is only peering with the internal network and not to anything on the outside then i'm not sure why you have that static statement on the ASA ie. either peer with an internal router and exchange routes or use a static route on the ASA but not both. But like i say without knowing the full topology it's not possible to recommend one or the other.

Jon

Actions

This Discussion