OSPF through IPsec VPN ASA

Unanswered Question
Aug 13th, 2010

Why does the following message appear everytime I try to apply a static neighbor for my OSPF configuration?

fw-local/sec/act(config-router)# neighbor y.y.y.y interface outside
INFO: Neighbor command will take effect only after OSPF is enabled
and network-type is configured on the interface

Here is a snap shot of my configuration:

interface GigabitEthernet0/0
speed 1000
duplex full
nameif outside
security-level 0
ip address x.x.x.42 255.255.255.128 standby x.x.x.43
ospf network point-to-point non-broadcast

router ospf 8
network y.y.y.y 255.255.255.255 area 1
network 192.168.102.0 255.255.255.0 area 1
log-adj-changes

The network-type for the outside interface has already been defined as a point-to-point non-broadcast, and yet the "INFO" message continues to appear. The y.y.y.y IP address is the public IP of the remote ASA that is terminating the IPsec VPN tunnel. I do not wish to change any of the default OSPF parameters on the interface itself or in the OSPF configuration. Am I missing something?

Thank you in advance.

Jason Espino

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Sat, 08/14/2010 - 14:11

Jason

I understand your desire to maintain security in your posting. But the use of x.x.x and y.y.y.y make it impossible for us to accurately check for the cause of your problem. So I can only suggest to you that you check carefully the address that you are using in your neighbor statement and to clarify the relationship between that address, the address of the interface, and the address of the remote peer.

HTH

Rick

jason.espino Sat, 08/14/2010 - 18:25

Yudong:

I understand this is an INFO message however, the ASA does not apply the static "neighbor" I am trying to define within the OSPF configuration after the INFO message appears.  The "sho run router" output does not have the "neighbor" defined. I haven't verified it it works or not since the OSPF process does not apply the static neighbor to route the unicast OSPF packets through the IPsec VPN tunnel to the remote ASA (which should be my static neighbor).

The document in the link you provided is the one I used, but the "neighbor" IP shows up in the ASA in the documention without a problem but on my ASA it doesnt. The INFO message appears on mine without the neighbot IP specified. The network-type has already been defined on my outside interface as well, "ospf network point-to-point non-broadcast"

Richard:

I apologize for not being more specific, and not defining the actual IP addresses within the configuration.  I do appreciate the fact that you understand my reason for concern regarding security.  If defining the IP addresses is needed to help assist with troubleshooting this configuration then that is fine with me.

My Local ASA Configuration:

fw-local/sec/act(config-router)# neighbor 67.192.14.6 interface outside
INFO: Neighbor command will take effect only after OSPF is enabled
and network-type is configured on the interface

interface GigabitEthernet0/0
speed 1000
duplex full
nameif outside
security-level 0
ip address 66.142.85.134 255.255.255.128 standby 66.142.85.135
ospf network point-to-point non-broadcast

router ospf 8
network 67.192.14.6 255.255.255.255 area 1
network 192.168.102.0 255.255.255.0 area 1
log-adj-changes

The 67.192.14.6 IP address is the remote ASA's public IP address that is defined in the cryptomap configuration, terminating the L2L IPsec VPN tunnel with my Local ASA.  I am not sure why my Local ASA mentions that INFO message and doesnt define the static neighbor of the remote ASA's IP in the OSPF configuration when the network type has been defined in my outside (gig0/0) interface.

I hope this helps clearifys things a bit. If not please let me know.

Thank you both for your help/information!!!

Jason Espino

Yudong Wu Sat, 08/14/2010 - 19:07

I did not see you configured "network" for outside interface under OSPF?

Actions

This Discussion