Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

[Resolved] EIGRP ASA<->3825 stuck on update.

Hi, community. I have strange problem between Cisco ASA 5510 with 8.4.2 and Cisco 3825 with IOS 15.0(1)M7 (same with 12.4(15)T15).

asa# sh eigrp neighbors

EIGRP-IPv4 neighbors for process 1

H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq

                                            (sec)         (ms)       Cnt Num

0   10.27.6.3               Et0/0            14  00:00:14 1    5000  2   66099

As you can see here two routes in the queue always.

Here is debug eigrp packets update:

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 2, RTO 4500 topoid 0

  AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 3, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 4, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 5, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 6, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 7, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 8, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 9, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 10, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 11, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 12, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 13, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 14, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 15, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 16, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6255/65952 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 65952/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Enqueueing UPDATE on Ethernet0/0 nbr 10.27.6.3 topoid 0 iidbQ un/rely 0/1 peerQ un/rely 0/0

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3 topoid 0

  AS 65536, Flags 0x1, Seq 6257/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/1

EIGRP: Enqueueing UPDATE on Ethernet0/0 topoid 0 iidbQ un/rely 0/1 serno 1-1

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/1 peerQ un/rely 0/1

EIGRP: Enqueueing UPDATE on Ethernet0/0 nbr 10.27.6.3 topoid 0 iidbQ un/rely 0/0 peerQ un/rely 0/1 serno 1-1

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 1, RTO 3000 topoid 0

  AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 2, RTO 4500 topoid 0

  AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 3, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 4, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 5, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 6, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 7, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 8, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 9, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 10, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 11, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 12, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 13, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 14, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 15, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3, retry 16, RTO 5000 topoid 0

  AS 65536, Flags 0x1, Seq 6257/66055 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 66055/0 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/2

sh EIGRP: Enqueueing UPDATE on Ethernet0/0 nbr 10.27.6.3 topoid 0 iidbQ un/rely 0/1 peerQ un/rely 0/0

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.27.6.3

  AS 65536, Flags 0x1, Seq 66099/0 interfaceQ 255/255 iidbQ un/rely 0/1 peerQ un/rely 0/0

EIGRP: Sending UPDATE on Ethernet0/0 nbr 10.27.6.3 topoid 0

  AS 65536, Flags 0x1, Seq 6259/66099 interfaceQ 255/255 iidbQ un/rely 0/0 peerQ un/rely 0/1

EIGRP: Enqueueing UPDATE on Ethernet0/0 topoid 0 iidbQ un/rely 0/1 serno 1-1

EIGRP: Enqueueing UPDATE on Ethernet0/0 nbr 10.27.6.3 topoid 0 iidbQ un/rely 0/0 peerQ un/rely 0/1 serno 1-1

On the other side (3825) output looks like this:

3825#sh ip eigrp neighbors G0/0.660

EIGRP-IPv4 Neighbors for AS(1)

H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq

                                            (sec)         (ms)       Cnt Num

35  10.27.6.1               Gi0/0.660         11 00:00:25    1  5000  1  0

3825#sh ip eigrp interfaces G0/0.660

EIGRP-IPv4 Interfaces for AS(1)

                        Xmit Queue   Mean   Pacing Time   Multicast    Pending

Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes

Gi0/0.660          1        0/0         0       0/1           50         276

And debug "eigrp packet update" shows this:

t 28 10:15:40.726:   AS 1, Flags 0x0:(NULL), Seq 0/66108 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1

Oct 28 10:15:42.002: EIGRP: Sending UPDATE on GigabitEthernet0/0.660 nbr 10.27.6.1, retry 2, RTO 4500 tid 0

Oct 28 10:15:42.002:   AS 1, Flags 0x1:(INIT), Seq 66099/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1

Oct 28 10:15:46.502: EIGRP: Sending UPDATE on GigabitEthernet0/0.660 nbr 10.27.6.1, retry 3, RTO 5000 tid 0

Oct 28 10:15:46.502:   AS 1, Flags 0x1:(INIT), Seq 66099/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1

Oct 28 10:15:51.503: EIGRP: Sending UPDATE on GigabitEthernet0/0.660 nbr 10.27.6.1, retry 4, RTO 5000 tid 0

Oct 28 10:15:51.503:   AS 1, Flags 0x1:(INIT), Seq 66099/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1

Oct 28 10:15:56.503: EIGRP: Sending UPDATE on GigabitEthernet0/0.660 nbr 10.27.6.1, retry 5, RTO 5000 tid 0

Oct 28 10:15:56.503:   AS 1, Flags 0x1:(INIT), Seq 66099/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1

Oct 28 10:16:01.503: EIGRP: Sending UPDATE on GigabitEthernet0/0.660 nbr 10.27.6.1, retry 6, RTO 5000 tid 0

Oct 28 10:16:01.503:   AS 1, Flags 0x1:(INIT), Seq 66099/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1

Oct 28 10:16:06.503: EIGRP: Sending UPDATE on GigabitEthernet0/0.660 nbr 10.27.6.1, retry 7, RTO 5000 tid 0

Oct 28 10:16:06.503:   AS 1, Flags 0x1:(INIT), Seq 66099/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1

Oct 28 10:16:11.503: EIGRP: Sending UPDATE on GigabitEthernet0/0.660 nbr 10.27.6.1, retry 8, RTO 5000 tid 0

Oct 28 10:16:11.503:   AS 1, Flags 0x1:(INIT), Seq 66099/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1

Oct 28 10:16:16.503: EIGRP: Sending UPDATE on GigabitEthernet0/0.660 nbr 10.27.6.1, retry 9, RTO 5000 tid 0

Oct 28 10:16:16.503:   AS 1, Flags 0x1:(INIT), Seq 66099/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1

Oct 28 10:16:21.503: EIGRP: Sending UPDATE on GigabitEthernet0/0.660 nbr 10.27.6.1, retry 10, RTO 5000 tid 0

Oct 28 10:16:21.503:   AS 1, Flags 0x1:(INIT), Seq 66099/0 interfaceQ 1/0 iidbQ un/rely 0/0 peerQ un/rely 0/1

Oct 28 10:16:26.503: EIGRP: Sending UPDATE on GigabitEthernet0/0.660 nbr 10.27.6.1, retry 11, RTO 5000 tid 0

Oct 28 10:16:26.503:   AS 1, Flags 0x1:(INIT), Seq 66099/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1

Oct 28 10:16:31.503: EIGRP: Sending UPDATE on GigabitEthernet0/0.660 nbr 10.27.6.1, retry 12, RTO 5000 tid 0

Oct 28 10:16:31.503:   AS 1, Flags 0x1:(INIT), Seq 66099/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1

Oct 28 21:16:56 KHB: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.27.6.1 (GigabitEthernet0/0.660) is down: Interface PEER-TERMINATION received

Oct 28 21:16:57 KHB: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.27.6.1 (GigabitEthernet0/0.660) is up: new adjacency

Oct 28 21:18:16 KHB: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.27.6.1 (GigabitEthernet0/0.660) is down: Interface PEER-TERMINATION received

Oct 28 21:18:20 KHB: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.27.6.1 (GigabitEthernet0/0.660) is up: new adjacency

From router I can ping ASA:

3825#ping 10.27.6.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.27.6.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

BUT I CAN'T FROM ASA! That's strange because there is no control-plane access-lists.

asa# ping 10.27.6.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.27.6.3, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

There is only 3750G switch between them. No kind of VACL or mac address-lists configured on facing ports.

Interesting that I have another pair of 3825-asa with similar configuration plugged into the same switch in another vlan between them and they have no such issue.

Please suggest that to check? How to troubleshoot? Troubleshooting steps?

Another question is regarding debug output on ASA. Why I can see there AS65536 although my AS is 1?

23 REPLIES

Re: EIGRP ASA<->3825 stuck on update.

Can you post your eigrp and interface config from both devices?

HTH, John *** Please rate all useful posts ***

Re: EIGRP ASA<->3825 stuck on update.

Hi

Is the ASA a brand new one? or has it been in productino for sometime. When did you start noticing these alarms.?

What changes were done prior to seeing these alarms?

Maybe its a bug or something. Maybe try to remove the config and put it back again on the ASA. Have you tried to reload the box?

Also, in my honest opinion try avoiding to use the AS number like 1 or far end. Try something in the middle.

HTH

Kishore

Re: EIGRP ASA<->3825 stuck on update.

Hi, All!

ASA was brand new device. This devices was placed to production network, so another AS number can't be used. There is no problem with eigrp configuration I think, devices was already restarted several times, although here is configuration:

ASA:

sh running-config router eigrp

!

router eigrp 1

no auto-summary

network 10.27.6.0 255.255.255.0

passive-interface default

no passive-interface inside

redistribute static metric 100000 1000 255 1 1514 route-map REDIST_RRI_RMAP

!

3825:

router eigrp 1

distribute-list route-map EIGRP_FILTER_BGP_RMAP in GigabitEthernet0/0.167

distribute-list prefix valid_regional_routes in Tunnel98

default-metric 100000 1000 255 1 1514

network 10.0.8.0 0.0.3.255

network 10.16.0.0 0.15.255.255

network 10.27.2.0 0.0.0.255

network 10.27.3.64 0.0.0.63

network 10.27.6.0 0.0.0.255

network 10.156.0.0 0.0.255.255

network 172.16.248.0 0.0.3.255

redistribute bgp 65535 route-map REDIST_BGP_TAG_RMAP

redistribute rip

offset-list EIGRP_OFFCET_ACL in 15000000 GigabitEthernet0/0.167

passive-interface default

no passive-interface Tunnel98

no passive-interface GigabitEthernet0/0.167

no passive-interface GigabitEthernet0/0.660

Purple

EIGRP ASA<->3825 stuck on update.

Hi,

Can you post the config of ASA for the trunk to 3825 and for the ACLs applied inbound or outbound on inside interface.

Is there a switch in betwenn and if so post config of the switch also

Regards.

Alain.

Don't forget to rate helpful posts.

EIGRP ASA<->3825 stuck on update.

sw-01#sh vlan id 660

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

660  ASA2_Inside                      active    Gi1/0/20, Gi2/0/2

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

660  enet  100660     1500  -      -      -        -    -        0      0  

Remote SPAN VLAN

----------------

Disabled

Primary Secondary Type              Ports

------- --------- ----------------- ------------------------------------------

sw-01#sh run int Gi1/0/20

Building configuration...

Current configuration : 271 bytes

!

interface GigabitEthernet1/0/20

description *** to G0/0 CO2 ***

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 167,300,507,537,660,666,702,737

switchport mode trunk

rmon collection history 10120 owner campusmanager buckets 10 interval 300

end

sw-01#sh run int Gi2/0/2

Building configuration...

Current configuration : 105 bytes

!

interface GigabitEthernet2/0/2

description *** asa-02 Inside ***

switchport access vlan 660

end

sh running-config interface E0/0

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 10.27.6.1 255.255.255.0

Here is ACLs:

access-list inside_access_in extended permit ip object PROXY_INT any

access-list inside_access_in extended permit ip object CLC_RT_02_INT any

access-list inside_access_in extended permit ip object-group RFC1918 object REGION_NETS

access-list inside_access_in extended permit ip object DC01_INT any 

access-list inside_access_in extended permit ip object DC02_INT any

access-list inside_access_in extended permit ip object KHB-NOC_INT any

access-list inside_access_in extended permit tcp object REGION_NETS object shop object-group DM_INLINE_TCP_1

access-list inside_access_in extended permit tcp object REGION_NETS object shop eq ftp

access-list inside_access_in extended permit tcp object-group IT_PCs_INT any eq ssh

access-list inside_access_in extended permit tcp object-group IT_PCs_INT any eq telnet

access-list inside_access_in extended permit object HTTP object-group IT_Priv_INT any

access-list inside_access_in extended permit object HTTPS object-group IT_Priv_INT any

access-list inside_access_in extended permit tcp object REGION_NETS object-group SB_EXT eq https

access-list inside_access_in extended permit tcp object REGION_NETS object-group SB_EXT object-group SBER_PORT_667

access-list inside_access_in extended permit object SBER_PORT_670 object REGION_NETS object-group SB_EXT

access-list inside_access_in extended permit object RADMIN object-group IT_PCs_INT any

access-list inside_access_in extended permit object SBER_PORT_666 object REGION_NETS object-group SB_EXT

access-list inside_access_in extended permit ip object REGION_NETS object VPN.mrdv.

access-list inside_access_in extended deny ip object ROZN_Nets object-group RUSSTANDART_EXT

access-list inside_access_in extended permit ip object REGION_NETS object-group RUSSTANDART_EXT

access-list inside_access_in extended permit object RDP object-group IT_PCs_INT any

access-list inside_access_in extended permit object VNC object-group IT_PCs_INT any

access-list inside_access_in extended permit tcp object REGION_NETS object SBERBANK_BONUS eq 10443

access-list inside_access_in extended permit ip object WIFI_GUEST any

access-list global_access extended permit icmp object REGION_NETS any

access-list global_access extended permit ip object REGION_NETS object-group RFC1918

Purple

EIGRP ASA<->3825 stuck on update.

Hi,

on your switch is interface GigabitEthernet1/0/20 connected to the router?

You configured this switchport as a trunk link but in the show vlan output it appears  so it can't be a trunk port but an access port.

Can you provide sh int g1/0/20 switchport output.

Regards.

Alain.

Don't forget to rate helpful posts.

EIGRP ASA<->3825 stuck on update.

Yes, it connected to the router and it is in trunk mode.

It was already posted...

Once again:

sw-01#sh run int Gi1/0/20

Building configuration...

Current configuration : 271 bytes

!

interface GigabitEthernet1/0/20

description *** to G0/0 CO2 ***

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 167,300,507,537,660,666,702,737

switchport mode trunk

rmon collection history 10120 owner campusmanager buckets 10 interval 300

end

As I already said it is ok since another pair or 3825 - asa is working with almost same config thoriugth this switch, but in another vlan.

Purple

EIGRP ASA<->3825 stuck on update.

Hi,

Yes it is configured as a trunk but is it a trunk ? Because in the show vlan output only access ports should be appearing not trunk ports so could you verify it is indeed a trunk with the sh interface trunk command or sh interface g1/0/20 switchport.

Alain.

Don't forget to rate helpful posts.

Re: EIGRP ASA<->3825 stuck on update.

Alain, you are wrong. "show vlan" shows only access-ports, "show vlan id" show all associated ports.

sw-01#sh interface g1/0/20 switchport        

Name: Gi1/0/20

Switchport: Enabled

Administrative Mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk associations: none

Administrative private-vlan trunk mappings: none

Operational private-vlan: none

Trunking VLANs Enabled: 167,300,507,537,660,666,702,737

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none

Purple

EIGRP ASA<->3825 stuck on update.

Hi Eugene,

So much for me. I had never noticed it before , thanks for the info.

So let's peek again at your problem 

Regards.

Alain.

Don't forget to rate helpful posts.

EIGRP ASA<->3825 stuck on update.

First thing that I see is that you have auto summarization on on your 3825 and it's turned off on your ASA....

John

HTH, John *** Please rate all useful posts ***

Re: EIGRP ASA<->3825 stuck on update.

John, you are wrong. In 15.0 IOS no auto-summary is a default and not displayed in configuration. BTW it will not prevent routes exchange between peers. Although thank you for notice.

Purple

EIGRP ASA<->3825 stuck on update.

Hi,

Can you do a SPAN session  to mirror traffic on the interface connected to ASA and another one for traffic on the interface going to router.

Alain.

Don't forget to rate helpful posts.

Re: EIGRP ASA<->3825 stuck on update.

Hi! It is very problematic since it is very remote site and moreover there is only one server with virtual machines on that.

UPDATE: But I was able to make packet capture on ASA itself. Here is results:

118 packets captured

   1: 00:01:57.403284 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 52 
   2: 00:01:57.492619 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 52 
   3: 00:01:58.123147 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
   4: 00:02:02.191182 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 52 
   5: 00:02:02.402338 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 52 
   6: 00:02:03.123269 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
   7: 00:02:07.102045 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
   8: 00:02:07.131005 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
   9: 00:02:08.123345 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  10: 00:02:11.755042 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
  11: 00:02:12.041745 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  12: 00:02:13.123437 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  13: 00:02:16.335172 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
  14: 00:02:16.801411 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  15: 00:02:18.123513 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  16: 00:02:20.907255 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
  17: 00:02:21.291153 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  18: 00:02:23.123544 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  19: 00:02:25.219303 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
  20: 00:02:26.050885 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  21: 00:02:28.123696 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  22: 00:02:30.011397 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
  23: 00:02:30.840532 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  24: 00:02:33.123788 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  25: 00:02:34.723488 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
  26: 00:02:35.214283 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  27: 00:02:38.123879 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  28: 00:02:39.107568 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
  29: 00:02:39.500019 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  30: 00:02:43.124032 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  31: 00:02:43.967677 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
  32: 00:02:44.089762 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  33: 00:02:48.124062 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  34: 00:02:48.403802 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
  35: 00:02:48.889434 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  36: 00:02:52.747809 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
  37: 00:02:53.124169 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  38: 00:02:53.389170 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  39: 00:02:57.559892 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
  40: 00:02:58.124276 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  41: 00:02:58.358868 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  42: 00:03:02.500141 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
  43: 00:03:03.008605 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  44: 00:03:03.118600 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  45: 00:03:06.777807 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
  46: 00:03:06.778524 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 52 
  47: 00:03:06.780477 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 52 
  48: 00:03:06.784245 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  49: 00:03:08.784444 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  50: 00:03:11.604445 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 52 
  51: 00:03:11.638059 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 52 
  52: 00:03:11.784474 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  53: 00:03:16.207798 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 52 
  54: 00:03:16.284592 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  55: 00:03:16.580490 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 52 
  56: 00:03:20.597503 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 52 
  57: 00:03:21.284653 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  58: 00:03:21.564637 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 52 
  59: 00:03:25.157248 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 52 
  60: 00:03:26.208744 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 52 
  61: 00:03:26.284790 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  62: 00:03:29.466955 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  63: 00:03:30.672542 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
  64: 00:03:31.284851 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  65: 00:03:33.736686 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  66: 00:03:35.344678 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
  67: 00:03:36.284958 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  68: 00:03:38.106455 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  69: 00:03:40.152717 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
  70: 00:03:41.285263 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  71: 00:03:43.046155 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  72: 00:03:44.777623 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
  73: 00:03:46.285126 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  74: 00:03:47.485860 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  75: 00:03:49.752860 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
  76: 00:03:51.285202 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  77: 00:03:52.125588 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  78: 00:03:54.408960 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
  79: 00:03:56.285416 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  80: 00:03:56.585296 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  81: 00:03:58.701044 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
  82: 00:04:01.235034 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  83: 00:04:01.285477 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  84: 00:04:03.129128 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
  85: 00:04:05.964687 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  86: 00:04:06.285522 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  87: 00:04:07.493199 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
  88: 00:04:10.314467 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  89: 00:04:11.285660 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  90: 00:04:12.137322 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
  91: 00:04:14.964137 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  92: 00:04:16.285721 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  93: 00:04:16.973384 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
  94: 00:04:19.533877 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  95: 00:04:21.285812 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
  96: 00:04:21.825427 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
  97: 00:04:23.973597 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  98: 00:04:26.273499 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
  99: 00:04:26.365581 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
 100: 00:04:26.366283 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 52 
 101: 00:04:26.369838 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 52 
 102: 00:04:26.373698 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
 103: 00:04:28.374080 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
 104: 00:04:30.863190 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 52 
 105: 00:04:30.885909 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 52 
 106: 00:04:31.373988 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
 107: 00:04:35.361965 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 52 
 108: 00:04:35.822879 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 52 
 109: 00:04:35.874085 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
 110: 00:04:39.766073 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 52 
 111: 00:04:40.122659 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 52 
 112: 00:04:40.874115 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
 113: 00:04:44.050214 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 52 
 114: 00:04:45.062374 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 52 
 115: 00:04:45.874207 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
 116: 00:04:48.577973 10.27.6.3 > 224.0.0.10:  ip-proto-88, length 40 
 117: 00:04:49.362072 10.27.6.1 > 224.0.0.10:  ip-proto-88, length 40 
 118: 00:04:50.874313 10.27.6.3 > 10.27.6.1:  ip-proto-88, length 20 
118 packets shown

UPDATE2:

Almost the same situation with 3825. I performed embeded packet capture and it also recieves hello messages, sends hello, sends updates, but here is no updates recieved!
Purple

EIGRP ASA<->3825 stuck on update.

Hi,

so ASA never sends unicast messages  to the 3825 but receives them from the router.

From the previous debug  it was trying to send unicast updates but was never receiving acks from the router and the router was sending unicats updates but was never receiving acks from the ASA.

So we can see that the problem is surely on the ASA side which is sending multicast hellos but not unicast updates or acks out its inside interface.

But why are these packets never coming out the interface?

Can you do a detailed capture once again and save it as cap file and send it here.

Regards.

Alain.

Don't forget to rate helpful posts.

EIGRP ASA<->3825 stuck on update.

Hi! Detailed captures was attached.

Purple

EIGRP ASA<->3825 stuck on update.

Hi,

I don't see it.

Alain.

Don't forget to rate helpful posts.

EIGRP ASA<->3825 stuck on update.

Look at the first message attachment.

Purple

EIGRP ASA<->3825 stuck on update.

Hi,

ok I saw them

does address of the router appears in arp cache of ASA?

Is all unicast traffic to the router failing in addition to ICMP?

Alain.

Don't forget to rate helpful posts.

EIGRP ASA<->3825 stuck on update.

Arp cache on ASA shows arp entry for 3825:

inside 10.27.6.3 0024.c415.9b00 1605

I have no ability to check this since asa have no any tools (telnet, ssh) as you probably know.

Re: EIGRP ASA<->3825 stuck on update.

Hi! Thank you all for replays and help, but the problem was with another strange issue. How it was fixed?

First of all I was confused by packet-tracer output:

asa-02# packet-tracer input inside tcp 10.27.6.1 ssh 10.27.6.3 ssh

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network RT_02_EXT

nat (any,any) static RT_02_INT

Additional Information:

NAT divert to egress interface outside

Untranslate 10.27.6.3/22 to x.x.x.x/22

Phase: 4

Type: ACCESS-LIST

Subtype:     

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Although packet is not ingress to inside interface ( actually it is generated by ASA), I've noticed that here is some kind of UN-NAT used.

So I begin to investigate my Nat rules and found two duplicated entries:

!

object network RT_02_EXT

nat (any,any) static RT_02_INT

object network RT_02_INT

nat (any,any) static RT_02_EXT

!

As you can see it was some kind of misconfiguration. I've deleted second entry and now connectivity is ok.

Once again behavior of packet-tracer changed (althougth it is not ingress to inside):

asa-02# packet-tracer input inside tcp 10.27.6.1 ssh 10.27.6.3 ssh

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.27.6.0       255.255.255.0   inside

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Conclusion: always take a look at something strange in troubleshooting commands output.

Once again thanks all. Please mark somebody my topic as resolved.

EIGRP ASA<->3825 stuck on update.

glad to hear that your problem is solved but I still don't get why your ASA was getting AS 65536???  Why was it sendin the BGP AS across

Re: EIGRP ASA<->3825 stuck on update.

Maximum number of the EIGRP AS is 65535. 65536 as you mentioned can be only 4 byte BGP AS Number, but BGP has no any place here. Seems to me here is cosmetic bug in debug of ASA OS 8.4.2. It displays EIGRP AS 1 as 65536 ( EIGRP AS MAX + 1).

2364
Views
15
Helpful
23
Replies
CreatePlease to create content