Solved: CharlieAs far as i can see

Charles W · ‎03-28-2014

Hello everyone,

I have a bit of an unusual issue and I'm unable to determine how to proceed. We are trying to establish a backup IPSEC tunnel to support our sites should our MPLS network become unavailable. We're having trouble trying to configure the necessary SLA Monitor at one of our sites. Please consider the attached diagram.

In order for this to work, it is my understanding that both A-ASA and Z-ASA will need to be able to monitor the other side's MPLS interface. So...
Z-ASA ---echo--->A-Edge-02 This works
A-ASA ---echo--->Z-Edge-02 This does not work

Only one line was necessary to enable this on Z-ASA: route MPLS A-Edge-02 255.255.255.255 Z-Edge-02
The same line (reverse) was created on A-ASA to no effect: route Outside Z-Edge-02 255.255.255.255 A-Edge-02

I believe this has to do with the fact that Z-ASA uses a separate interface for MPLS and Internet, whereas it is combined on A-ASA. Furthermore, A-ASA has a public IP on its outside address.

I believe this is simply an issue of getting the A-ASA Outside IP advertised (we use BGP) on the MPLS network, because when I try to ping Z-ASA/MPLS from A-ASA/Outside I can see the packets come in, but then they are unable to route back to the origin.

Excerpts A-Edge-02 follow. Note that A-ASA-Outside falls within Public_IP_Block.

router bgp B222
no synchronization
bgp log-neighbor-changes
network DMZ1.1.56 mask 255.255.255.248
network DMZ2.1.64 mask 255.255.255.248
network TRUST.0.0 mask 255.255.0.0
network SIP.20.0 mask 255.255.255.0
network Public_IP_Block mask 255.255.255.224
neighbor MPLS_GW remote-as A111
neighbor MPLS_GW prefix-list MPLS_IPs out
neighbor A-Edge-01 remote-as B222
neighbor A-Edge-01 next-hop-self
neighbor Internet_GW remote-as C333
neighbor Internet_GW prefix-list BGP_IPs out
no auto-summary

ip prefix-list BGP_IPs seq 5 permit Public_IP_Block/27
ip prefix-list BGP_IPs seq 10 deny 0.0.0.0/0
!
ip prefix-list MPLS_IPs seq 5 permit TRUST.0.0/16
ip prefix-list MPLS_IPs seq 6 permit DMZ1.1.56/29
ip prefix-list MPLS_IPs seq 7 permit DMZ2.1.64/29
ip prefix-list MPLS_IPs seq 8 permit SIP.20.0/24
ip prefix-list MPLS_IPs seq 10 permit A-ASA-Outside/32

I'm stuck - any assistance is greatly appreciated!

Jon Marshall · ‎03-31-2014

Charlie

Is "A-ASA-Outside/32" the specific host address for the ASA ?

If so you do not have a network statement for that. The network statement you have under BGP is for the public subnet but your prefix list is only matching the specific host address.

So you need to change the prefix list to match the public subnet instead of the host address.

A possible alternative would be to add "network ...." statement for the specific IP address but then you need a matching route ie. a host route in the IP routing table for it to be advertised because a BGP network statement must find an exact match in the routing table.

However this is a directly connected subnet so you may not be able to do it.

You could try adding a host specific route with the next hop the outgoing interface on the router going to the ASA but i'm not sure this will work.

Jon

View solution in original post

Jon Marshall · ‎03-29-2014

Charlie

As far as i can see you are right, you need to advertise that IP to the MPLS network because currently you aren't so there is no route back.

Jon

Charles W · ‎03-31-2014

Hi Jon, Thanks for your reply! Wouldn't this line cause it to be advertised on the MPLS network?

ip prefix-list MPLS_IPs seq 10 permit A-ASA-Outside/32

A-ASA-Outside is part of the public ip block that it's already included in the bgp config... am I missing something?

Many thanks for your help!

Jon Marshall · ‎03-31-2014

Charlie

Is "A-ASA-Outside/32" the specific host address for the ASA ?

If so you do not have a network statement for that. The network statement you have under BGP is for the public subnet but your prefix list is only matching the specific host address.

So you need to change the prefix list to match the public subnet instead of the host address.

A possible alternative would be to add "network ...." statement for the specific IP address but then you need a matching route ie. a host route in the IP routing table for it to be advertised because a BGP network statement must find an exact match in the routing table.

However this is a directly connected subnet so you may not be able to do it.

You could try adding a host specific route with the next hop the outgoing interface on the router going to the ASA but i'm not sure this will work.

Jon

Charles W · ‎03-31-2014

Jon, this was exactly it - no matching route.

I added a host-specific route using the internal interface of Edge-02 and it popped right into the table and converged just about instantly.

Thank you!

Jon Marshall · ‎03-31-2014

Charlie

No problem, glad to help.

Just for my own clarification did you also add a "network ..." statement under BGP for that specific host address ?

Jon

Charles W · ‎03-31-2014

Indeed, I did!

Thank you again!

Jon Marshall · ‎03-31-2014

Charlie

Thanks for clarifying.

Just wanted to make sure it wasn't some unexpected behaviour of BGP

Jon

Routing ICMP from specific public address across MPLS network