10-28-2014 06:45 AM - edited 03-05-2019 12:03 AM
Hi,
I have a router and firewall that work fine. However, I am in process of upgrading the ASA to 9.2(2) code. When I do the upgrade, the ASA fails to establish the adjacency again with the router. Does anyone have any ideas?
Here is the config:
On ASA:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 1.2.3.4 255.255.255.224
authentication key eigrp 100 XXXX key-id 1
authentication mode eigrp 100 md5
!
router eigrp 100
network 1.2.3.0 255.255.255.224
network 172.18.1.0 255.255.255.0
passive-interface default
no passive-interface outside
redistribute static route-map Redistribute_VPN
=======================================================
On Router
!
!
key chain EIGRP_KEYCHAIN
key 1
key-string XXXX
!
interface GigabitEthernet0/1
ip address 1.2.3.2 255.255.255.224
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 EIGRP_KEYCHAIN
ip hold-time eigrp 100 35
ip flow ingress
duplex auto
speed auto
!
router eigrp 100
distribute-list Distribute-List out
network 172.18.250.0 0.0.0.255
network 1.2.3.0 0.0.0.31
passive-interface default
no passive-interface Tunnel1
no passive-interface GigabitEthernet0/1
Thank you in advance,
Joel Friedman
CCNP,CCSP,CCVP
Network Manger
Ripley Entertainment
Solved! Go to Solution.
10-28-2014 07:35 AM
Joel
Thanks for clarifying that the EIGRP adjacency does work on 9.1 code and has problems after upgrading to 9.2. It certainly sounds like it is a code based problem. So my first suggestion would be to open a case with Cisco TAC and see what they know about it. If a case with Cisco TAC is not feasible then I would have a couple of suggestions.
- take a copy of the config that is working with 9.1 and a copy of the config after upgrading to 9.2 and look for changes, especially any changes in the interface or in routing protocol parameters.
- you might try taking out the authentication processing for EIGRP and see if the problem is related to authentication or is about something else.
- you might run debug on router and ASA for EIGRP and see if it shows some error.
HTH
Rick
10-28-2014 06:52 AM
Joel
It is not clear to me whether the EIGRP adjacency was working before the code upgrade and stopped working when you did the code upgrade or whether the EIGRP adjacency is something you started after the code upgrade. Can you clarify?
Can you post the output of show ip eigrp interface from the router and the equivalent command from the ASA?
HTH
Rick
10-28-2014 07:08 AM
Richard,
Thank you for getting back to me. EIGRP is working fine on the 9.1(2) code and the system is in production. Unfortunately, I have to wait until 530 AM eastern tomorrow to try the upgrade again. Here are the commands you requested(while it is up and running on 9.1). The interfaces show up in this command on both router and firewall after the upgrade.
RIP-COLO-FW-01# show eigrp int
EIGRP-IPv4 interfaces for process 100
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
outside 2 0/0 1 0/1 50 0
Inside2 0 0/0 0 0/1 0 0
RIP-COLO-RTR-01#show ip eigrp int
EIGRP-IPv4 Interfaces for AS(100)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Gi0/1 2 0/0 0/0 1 0/0 50 0
Joel
10-28-2014 07:35 AM
Joel
Thanks for clarifying that the EIGRP adjacency does work on 9.1 code and has problems after upgrading to 9.2. It certainly sounds like it is a code based problem. So my first suggestion would be to open a case with Cisco TAC and see what they know about it. If a case with Cisco TAC is not feasible then I would have a couple of suggestions.
- take a copy of the config that is working with 9.1 and a copy of the config after upgrading to 9.2 and look for changes, especially any changes in the interface or in routing protocol parameters.
- you might try taking out the authentication processing for EIGRP and see if the problem is related to authentication or is about something else.
- you might run debug on router and ASA for EIGRP and see if it shows some error.
HTH
Rick
05-29-2015 08:57 AM
This turned out to be an EIGRP Auth error. I removed all auth and it started working.
05-31-2015 05:52 PM
Joel
That is very interesting. I am glad that you figured out the problem and found a way to resolve it. Thank you for posting back to the forum to let us know that you found the problem and what it was. This may help other readers in the forum who might face a similar problem.
HTH
Rick
06-01-2015 01:10 PM
Hello, you might be hitting bug CSCut26062.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: