Kevin

Just did a quick test and if a route is marked as inaccessible in the topology table it won't be advertised to any neighbors.

So what is happening is that your ASA (op) is receiving the default route from the border router via EIGRP. But you ASA also has a static default route configured on it. Because of the AD (administrative distance) the static route is preferred and so the EIGRP default route is marked as inaccessible and is not advertised to your DMZ switch.

Solution is as i posted in previous response to this post.

Jon

Thanks for testing that out in a lab environment Jon.  I will have to strip out the static route tomorrow off of the ASA and see if thereafter EIGRP will propogate it down to the bhiedge switch. 

I will let you know Jon.

Kevin

k-melton wrote:
I ran the command "sho eigrp top all-links" as you had indicated.  This showed
the learned routes just as you had indicated (way to go Jon!).
Here is a snapshot:
bhiasaop# sho eigrp top all
EIGRP-IPv4 Topology Table for AS(100)/ID(206.248.224.2)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status
P 0.0.0.0 0.0.0.0, 0 successors, FD is Inaccessible, serno 0
        via 206.248.224.1 (33280/30720), Ethernet0/0
P 192.168.5.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 172.16.1.3 (30720/28160), Ethernet0/1
P 172.16.1.0 255.255.255.0, 1 successors, FD is 28160, serno 2
        via Connected, Ethernet0/1
P 206.248.224.2 255.255.255.255, 0 successors, FD is Inaccessible, serno 0
        via 206.248.224.1 (30720/28160), Ethernet0/0
P 206.248.224.0 255.255.255.0, 1 successors, FD is 28160, serno 3
        via Connected, Ethernet0/0
For some reason, the ASA is not propogating these routes inward towards the DMZ switch.  I have tried toggling auto-summary on the ASA and receive these messages while running debug on the DMZ switch:
bhiedge#
Jan 26 16:18:59.672: %DUAL-5-NBRCHANGE: EIGRP-IPv4:(100) 100: Neighbor 172.16.1.2 (Vlan1) is down: peer restarted
Jan 26 16:19:00.140: %DUAL-5-NBRCHANGE: EIGRP-IPv4:(100) 100: Neighbor 172.16.1.2 (Vlan1) is up: new adjacency
Jan 26 16:19:01.680: EIGRP-IPv4(Default-IP-Routing-Table:100): 172.16.1.0/24 - do advertise out Vlan1
Jan 26 16:19:01.680: EIGRP-IPv4:(100): Int 206.248.224.0/24 M 28416 - 25600 2816 SM 28160 - 25600 2560
Jan 26 16:19:01.680: EIGRP-IPv4(Default-IP-Routing-Table:100): 206.248.224.0/24 routing table not updated thru 172.16.1.2
Jan 26 16:19:01.688: EIGRP-IPv4(Default-IP-Routing-Table:100): 172.16.1.0/24 - do advertise out Vlan1
Jan 26 16:19:01.688: EIGRP-IPv4:(100): Int 206.248.224.0/24 M 28416 - 25600 2816 SM 28160 - 25600 2560
Jan 26 16:19:01.700: EIGRP-IPv4:(100): Int 206.248.224.0/24 M 28416 - 25600 2816 SM 28160 - 25600 2560
What am I missing Jon?
Kevin

Kevin

I was so busy concentrating on the default route propogation that i didn't notice that your DMZ switch was L3. Raj is right, this really should be L2 unless you have a very good reason to make it L3 and it would remove one more EIGRP peer.

For some reason the switch is seeing the routes as inaccessible with FD. Can you post output of "sh eigrp topology all-links" from the ASA and as Raj suggested "sh ip eigrp neigh".

I would look to make the switch L2 as routing on a DMZ switch really shouldn't be enabled. Is there a specific reason you wanted it as L3 ?

By the way, it's very rare you want "auto-summary" with EIGRP so stick with "no auto-summary" on all devices.

Jon

Jon

I dont mind making the switch L2.  I just need to make sure that if I change their GW to the ASA @ 172.16.1.2, they would still be able to communicate with the devices on the inside networks.  I was unsure if the ASA would act as a gateway for the inside networks.  I can test this when I am back onsite on Friday.

Here are the outputs  you requested:

bhiasaop# sho eigrp nei
EIGRP-IPv4 neighbors for process 100
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
1   172.16.1.7              Et0/1            13     1d02h 3    200   0   44
2   172.16.1.3              Et0/1            14     1d02h 1    200   0   72
0   206.248.224.1           Et0/0            12     1d02h 6    200   0   41
bhiasaop#

bhiasaop# sh eigrp topology all-links

EIGRP-IPv4 Topology Table for AS(100)/ID(206.248.224.2)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 0.0.0.0 0.0.0.0, 0 successors, FD is Inaccessible, serno 0
        via 206.248.224.1 (33280/30720), Ethernet0/0
P 192.168.5.0 255.255.255.0, 0 successors, FD is Inaccessible, serno 0
        via 172.16.1.3 (30720/28160), Ethernet0/1
P 172.16.0.0 255.255.0.0, 1 successors, FD is 28160, serno 46
        via Summary (28160/0), Null0
P 172.16.1.0 255.255.255.0, 1 successors, FD is 28160, serno 2
        via Connected, Ethernet0/1
P 206.248.224.2 255.255.255.255, 0 successors, FD is Inaccessible, serno 0
        via 206.248.224.1 (30720/28160), Ethernet0/0
P 206.248.224.0 255.255.255.0, 1 successors, FD is 28160, serno 3
        via Connected, Ethernet0/0
bhiasaop#

Thanks John

Jon

I wanted to give you a quick status update of the progress we have made at the client site today.

One at a time, and while using a console connection on each box I was removing a static route from in additon to SSH from the inside network, I was able to remove the static.  At each device once the static was removed, EIGRP would install the 0 route, and the message about it being "inaccessible" would dissapear.  Once again I appreciate your testing it in your lab, as this gave me a high confidence level while moving in that direction here.  Here are the outputs of the respective devices starting at the Border Router.

For testing I was going to disconnect the Ethernet connection to the ISP.  I think you had tested this before (or did you shut down the interface?) and replied that the result was the the Static route was removed.  Once that kink is worked out, I think we are golden here.

I am wondering if I need to use IP SLA to monitor the ISP's gateway.  We had discussed this at some point in the past, and I had configured it to some extent.  Here is the output from the IP SLA configuration on the Border router.  the address being monitored is the ISP GW.

bhigw2#sho run | beg ip sla

ip sla monitor 1
type echo protocol ipIcmpEcho 209.145.88.29
frequency 30
ip sla monitor schedule 1 life forever start-time now

bhigw2#         sho ip sla monitor collection
Entry number: 1
Start Time Index: 11:05:01.955 Eastern Fri Jan 29 2010
Number of successful operations: 120
Number of operations over threshold: 0
Number of failed operations due to a Disconnect: 0
Number of failed operations due to a Timeout: 0
Number of failed operations due to a Busy: 0
Number of failed operations due to a No Connection: 0
Number of failed operations due to an Internal Error: 0
Number of failed operations due to a Sequence Error: 0
Number of failed operations due to a Verify Error: 0
RTT Values:
RTTAvg: 6       RTTMin: 1       RTTMax: 231
NumOfRTT: 120   RTTSum: 722     RTTSum2: 101810

Start Time Index: 12:05:01.955 Eastern Fri Jan 29 2010
Number of successful operations: 44
Number of operations over threshold: 0
Number of failed operations due to a Disconnect: 0
Number of failed operations due to a Timeout: 0
Number of failed operations due to a Busy: 0
Number of failed operations due to a No Connection: 0
Number of failed operations due to an Internal Error: 0
Number of failed operations due to a Sequence Error: 0
Number of failed operations due to a Verify Error: 0
RTT Values:
RTTAvg: 5       RTTMin: 1       RTTMax: 219
NumOfRTT: 45    RTTSum: 266     RTTSum2: 48020

I am still not sure of how to tie this in with the Static route or if I even need to.  Thoughts?

Thx John

Kevin

k-melton wrote:
Jon
I wanted to give you a quick status update of the progress we have made at the client site today.
One at a time, and while using a console connection on each box I was removing a static route from in additon to SSH from the inside network, I was able to remove the static.  At each device once the static was removed, EIGRP would install the 0 route, and the message about it being "inaccessible" would dissapear.  Once again I appreciate your testing it in your lab, as this gave me a high confidence level while moving in that direction here.  Here are the outputs of the respective devices starting at the Border Router.
For testing I was going to disconnect the Ethernet connection to the ISP.  I think you had tested this before (or did you shut down the interface?) and replied that the result was the the Static route was removed.  Once that kink is worked out, I think we are golden here. 
I am wondering if I need to use IP SLA to monitor the ISP's gateway.  We had discussed this at some point in the past, and I had configured it to some extent.  Here is the output from the IP SLA configuration on the Border router.  the address being monitored is the ISP GW.
bhigw2#sho run | beg ip sla

ip sla monitor 1
 type echo protocol ipIcmpEcho 209.145.88.29
 frequency 30
ip sla monitor schedule 1 life forever start-time now
bhigw2#         sho ip sla monitor collection
Entry number: 1
Start Time Index: 11:05:01.955 Eastern Fri Jan 29 2010
Number of successful operations: 120
Number of operations over threshold: 0
Number of failed operations due to a Disconnect: 0
Number of failed operations due to a Timeout: 0
Number of failed operations due to a Busy: 0
Number of failed operations due to a No Connection: 0
Number of failed operations due to an Internal Error: 0
Number of failed operations due to a Sequence Error: 0
Number of failed operations due to a Verify Error: 0
RTT Values:
RTTAvg: 6       RTTMin: 1       RTTMax: 231
NumOfRTT: 120   RTTSum: 722     RTTSum2: 101810
Start Time Index: 12:05:01.955 Eastern Fri Jan 29 2010
Number of successful operations: 44
Number of operations over threshold: 0
Number of failed operations due to a Disconnect: 0
Number of failed operations due to a Timeout: 0
Number of failed operations due to a Busy: 0
Number of failed operations due to a No Connection: 0
Number of failed operations due to an Internal Error: 0
Number of failed operations due to a Sequence Error: 0
Number of failed operations due to a Verify Error: 0
RTT Values:
RTTAvg: 5       RTTMin: 1       RTTMax: 219
NumOfRTT: 45    RTTSum: 266     RTTSum2: 48020

I am still not sure of how to tie this in with the Static route or if I even need to.  Thoughts?
Thx John
Kevin

Kevin

Really glad to see you making progress on this.

As for tracking the ISP next-hop, what type of connectivity are you using to connect to the ISP ? If it was serial for example you wouldn't need to track it but if ethernet you will do.

You can tie in IP SLA with object-tracking which allows you to remove a route from the routing table and insert another one. What we don't really need to do is insert a new one, we just want to remove the default-route if the ISP end goes down. We may need to insert a dummy route though just because that's the way it works - more testing for me i think.

There are a number of approaches to this -

1) if serial connectivity no IP SLA - we are fine

2) if ethernet then we could use IP SLA with object-tracking. If we have to insert another route when we remove the default route we can simply use a dummy route. An additional fail safe would be to use a route-map when we redistribute the statics into EIGRP on the border router. We only allow the default route to be redistributed so whatever dummy route we added would not be redistributed to your ASA.

So couple of questions need answering

1) serial or ethernet

2) are you redistributing only the default route on the border router into EIGRP or are there others

3) Do you use a routing protocol between the border router and the ISP router. I'm guessing no but just wanted to confirm. This is yet another approach we could use ie. peer with the ISP using BGP for example and accept just a default-route off them. You then don't need to have a static route configured on the border router because you are getting it off the ISP. You simply redistribute BGP into EIGRP - that would be why you only want the default route off the ISP and not the full internet routing table.

If the ISP link goes down then they will no longer be sending you a default route which means it will no longer be in the routing table and hence won't be sent to the ASA.

As you can see there are a number of ways of doing it. BGP might be overkill with your ISP for this type of connection and the IP SLA might be a better approach.

Happy to test it for you but first if you could answer questions as we may not need to.

Jon

Jon.. u da man... such nice explanations.. +5 for the last post, for sure ....

sachinraja wrote:
Jon.. u da man... such nice explanations.. +5 for the last post, for sure ....

Raj

Thanks very much, sometimes i reread what i have written and wonder just how easy it is to understand

Jon

Jon

Wanted to respond quickly that we are Metro Ethernet attached - no serial.

Let me read the rest of your post and I will get back to you.

Kevin

More answers for you Jon

2) are you redistributing only the default route on the border router into EIGRP or are there others

Only the default route

3) Do you use a routing protocol between the border router and the ISP router. I'm guessing no but just wanted to confirm. This is yet another approach we could use ie. peer with the ISP using BGP for example and accept just a default-route off them. You then don't need to have a static route configured on the border router because you are getting it off the ISP. You simply redistribute BGP into EIGRP - that would be why you only want the default route off the ISP and not the full internet routing table.

No routing exchange between my client and the ISP

thx Jon

k-melton wrote:
More answers for you Jon
2) are you redistributing only the default route on the border router into EIGRP or are there others
Only the default route
3) Do you use a routing protocol between the border router and the ISP router. I'm guessing no but just wanted to confirm. This is yet another approach we could use ie. peer with the ISP using BGP for example and accept just a default-route off them. You then don't need to have a static route configured on the border router because you are getting it off the ISP. You simply redistribute BGP into EIGRP - that would be why you only want the default route off the ISP and not the full internet routing table.
No routing exchange between my client and the ISP
thx Jon

Kevin

Apologies, you did tell me it was MetroEthernet before, i just forgot.

Right then it looks like the IP SLA setup. I can test this over the weekend and then  provide a working config. Is that okay with you ?

Jon

That is all fine with me Jon.  I am supposed to put this into production on

next Wednesday evening if I can get all the pieces figured out.  Please dont work on this over the weekend

unless it is something you want to do.  I would rather you be enjoying your weekend.  All your effort is

apprciated on a grand scale.

I will read about the object tracking at the link which you have sent.

We are due for a snowstorm here tonight and tomorrow so I may be able to test on this some.

Talk to you soon

Kevin

One more thing

In response to:

2) if ethernet then we could use IP SLA with object-tracking. If we have to insert another route when we remove the default route we can simply use a dummy route. An additional fail safe would be to use a route-map when we redistribute the statics into EIGRP on the border router. We only allow the default route to be redistributed so whatever dummy route we added would not be redistributed to your ASA.

I think I have object tracking configured,,, did you see this on a post from earlier this morning?  I am pinging the ISP GW from the Border router using IP SLA  (perhaps object tracking is different, I will research). 

Also I had created a route map on the Border router as you had recommended this earlier.  It is only allowing the default route and denying all others..

see below:

route-map static permit 10
match ip address 20

bhigw2#sho access-list 20
Standard IP access list 20
    10 permit 0.0.0.0 (3 matches)
    20 deny   any (42 matches)
bhigw2#

Hope this helps

Kevin