I'm hoping someone can help with a routing issue I have between a pair of Nexus 7000 switches and a Cisco ASA Firewall.
We have an MPLS WAN linking two sites but have created a backup VPN tunnel in case of failure. Last night there was a fialure but there were issues with routing. Below is the topography between the sites for the backup:
On the Cat6500 the summary subnet is 10.10.0.0/16 and on the NX7K is 10.20.0.0/16 (fakes). Under normal circumstances traffic will route over the MPLS using a route picked up via OSPF. I've added a static route at each end pointing to the ASA with a metric of 200 so it will be ignored. If the MPLS goes down the OSPF route disappears and so the static route appears.
On the Cat6500 side the routing works fie and traffic goes to the firewall and then over the VPN tunnel. However on the NX7K side traffic seems to get stuck in a loop between the NX7K and the ASA. When I checked the ASA on the NX7K side I could see it was picking up the OSPF route for the other side from the NX7K, which would explain the loop. When I check the ASA on the Cat6500 side I do not see the route to the other side, which is why there isn't a problem. The Cat6500 is definitely redistributing the static route but the ASA seems to be clever enough to ignore it. However, on the NX7K side it's not ignoring it which means we can't sent traffic over the tunnel.
What do I need to do to make the ASA ignore the redistributed static routes from the NX7K that point to it? Any help would be much appreciated!
"I've added a static route at each end pointing to the ASA with a metric of 200 so it will be ignored. If the MPLS goes down the OSPF route disappears and so the static route appears"
according to your statement above you are running ospf on all devices but you also have a static route to ASAs! if OSPF is enable no need for static roue with higher metric of 200. you just have to cost your links (OSPF cost) and OSPF will detect a failure and route accordingly..
I have never worked with the NX7K but with dynamic routing enable on the ASA, The NX7K should be aware of 10.10.0.0/16 from it local connected OSPF neighbor (ASA) via the ipsec tunnel (no need for the static route with metric 200) since both ASAs are OSPF neighbors! you just have a default route to the local ASA on both sides. Once OSPF is up, you just need to cost your links to make the ipsec tunnel less prefered!
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...