From: nem chua (nemthuduc@gmail.com)
Date: Thu Apr 12 2007 - 14:46:11 ART
I think I found a cisco bug with 7.1.2. Looks like in transparent mode,
multicast was not passed somehow from the inside interface to the external
interface. We had gig 0/0 as the outside, and 1/2 as the inside, and we
can't get ospf to establish adjacency. The inside interface saw the hellos,
but the outside interface did not. When I put both the inside and outside
interface on the same slot 0, it works.
Cisco didn't seem to be aware of this bug, our Tacs engineer recommended
upgrading to the latest release, but didn't find anything specific to this
issue in the latest code. I have not yet loaded the new code to confirm if
it would fix the issue, so the work around is to put both the outside and
inside interface in the same slot.
Thanks for all your help.
On 4/12/07, nem chua <nemthuduc@gmail.com> wrote:
>
> I think I'll try the upgrading software path. I talked to cisco and was
> told the version 7.1.2 shouldn't be an issue with OSPF, but worth a try.
>
> I also removed authentication, but no luck. I'll post to the group if the
> upgrade works.
>
> Thank you everyone for your response.
>
>
> On 4/12/07, Farrukh Haroon <farrukhharoon@gmail.com> wrote:
> >
> > Dear Gustavo
> >
> > I think you are confusing something here, or I am :)
> >
> > Nem, has ASA(s) and not FWSM(s)
> >
> > Nem, I would suggest to try n test your setup with one firewall only,
> > removing all fail over configuration and other extra things (if possible,
> > assuming this is not a production environment)
> >
> > also the ASA software has loads of bugs in it, so try upgrading to 7.2(2)
> > the latest public release (if possible)
> >
> > and last but not least, try OSPF without authentication.
> >
> > Regards
> >
> > Farrukh
> >
> > On 4/12/07, Gustavo Novais <gustavo.novais@novabase.pt > wrote:
> > >
> > > Hi again
> > >
> > > Where are your interfaces and bridge groups definitions?
> > >
> > > See
> > > http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_co
> > >
> > > nfiguration_guide_chapter09186a0080602ff7.html#wp1047426 for an
> > > example
> > >
> > >
> > > I'm curious regarding spanning-tree... what is its current state?
> > > Which
> > > port is blocking? Is it the one leading to the standby firewall? On
> > > Vlan
> > > 10 side, or vlan 44?
> > >
> > >
> > > Gustavo Novais
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com ] On Behalf
> > > Of
> > > nem chua
> > > Sent: quinta-feira, 12 de Abril de 2007 14:25
> > > To: Farrukh Haroon
> > > Cc: Cisco certification
> > > Subject: Re: OSPF over ASA transparent mode
> > >
> > > Nope, no dhcp snooping, just plain ports assigned to a vlan.
> > >
> > > Here is the diagram
> > >
> > > 3750 external -----------vlan10-----------------3750 external
> > > > |
> > > |
> > > > vlan 10
> > > vlan
> > > > 10
> > > > |
> > > |
> > > > ASA firewall--------------Failover--------------- ASA
> > > Firewall
> > > > |
> > > |
> > >
> > > > vlan 44 vlan
> > >
> > > 44
> > > > |
> > > |
> > > > -----------------------3750 internal switch---------------------
> > >
> > >
> > > Here is the config on an external 3750, an internal 3750, and the
> > > primary
> > > asa firewall.
> > >
> > > 3750 external switch config:
> > >
> > > interface Loopback0
> > > ip address 172.16.249.28 255.255.255.255
> > >
> > > interface Vlan10
> > > ip address 172.16.249.6 255.255.255.240
> > > no ip redirects
> > > no ip proxy-arp
> > > ip ospf priority 10
> > > !
> > > interface Vlan30
> > > ip address 172.16.249.21 255.255.255.252
> > > no ip redirects
> > > no ip proxy-arp
> > > ip ospf authentication message-digest
> > > ip ospf message-digest-key 1 md5 7 082C424F590A1511
> > > ip ospf dead-interval minimal hello-multiplier 4
> > > ip ospf priority 10
> > > !
> > > router ospf 1
> > > router-id 172.16.249.28
> > > log-adjacency-changes
> > > auto-cost reference-bandwidth 100000
> > > timers throttle spf 10 100 5000
> > > timers throttle lsa all 10 100 5000
> > > timers lsa arrival 80
> > > passive-interface default
> > > no passive-interface Vlan10
> > > no passive-interface Vlan30
> > > network 172.16.249.0 0.0.0.255 area 0
> > >
> > >
> > >
> > > 3750 Internal switch config
> > >
> > > interface Loopback0
> > > ip address 172.16.249.25 255.255.255.255
> > >
> > > interface Vlan44
> > > ip address 172.16.249.7 255.255.255.240
> > > !
> > > router ospf 1
> > > router-id 172.16.249.25
> > > log-adjacency-changes
> > > auto-cost reference-bandwidth 100000
> > > timers throttle spf 10 100 5000
> > > timers throttle lsa all 10 100 5000
> > > timers lsa arrival 80
> > > redistribute connected subnets
> > > network 10.254.0.0 0.0.255.255 area 0
> > > network 172.16.249.0 0.0.0.255 area 0
> > >
> > > ASA firewall config:
> > >
> > > access-list in extended permit ospf any any log
> > > access-list in extended permit ip any any log
> > > access-list in extended permit ip any host 224.0.0.2
> > > access-list in extended permit ip any host 224.0.0.5
> > > access-list in extended permit ip any host 224.0.0.6
> > > access-list in extended permit ip 224.0.0.0 255.0.0.0 any
> > > access-list in extended permit ip any 224.0.0.0 255.0.0.0
> > > pager lines 24
> > > logging enable
> > > logging timestamp
> > > logging console informational
> > > logging buffered informational
> > > logging asdm informational
> > > mtu outside 1500
> > > mtu inside 1500
> > > ip address 172.16.249.1 255.255.255.240 standby 172.16.249.2
> > > failover
> > > failover lan unit secondary
> > > failover lan interface failover GigabitEthernet1/3
> > > failover key *****
> > > failover link failover GigabitEthernet1/3
> > > failover interface ip failover 192.168.254.248 255.255.255.0 standby
> > > 192.168.254.249
> > > no asdm history enable
> > > arp timeout 14400
> > > access-group in in interface outside
> > > access-group in out interface outside
> > > access-group in in interface inside
> > > access-group in out interface inside
> > > route outside 0.0.0.0 0.0.0.0 c3750-xglobal-ab 1
> > > timeout xlate 3:00:00
> > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> > > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
> > > timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
> > > timeout uauth 0:05:00 absolute
> > > no snmp-server location
> > > no snmp-server contact
> > > snmp-server enable traps snmp authentication linkup linkdown coldstart
> > >
> > > telnet timeout 5
> > > ssh timeout 5
> > > console timeout 0
> > > !
> > > class-map inspection_default
> > > match default-inspection-traffic
> > > !
> > > !
> > > policy-map global_policy
> > > class inspection_default
> > > inspect dns maximum-length 512
> > > inspect ftp
> > > inspect h323 h225
> > > inspect h323 ras
> > > inspect rsh
> > > inspect rtsp
> > > inspect esmtp
> > > inspect sqlnet
> > > inspect skinny
> > > inspect sunrpc
> > > inspect xdmcp
> > > inspect sip
> > > inspect netbios
> > > inspect tftp
> > > !
> > > service-policy global_policy global
> > > Cryptochecksum:6abc4761fa7f8c39417f7bf3e4773065
> > > : end
> > >
> > >
> > >
> > >
> > > On 4/12/07, Farrukh Haroon < farrukhharoon@gmail.com > wrote:
> > > >
> > > > Nem, are you using any other security features on you switch ports
> > > > connected to the ASA?
> > > >
> > > > Something like DHCP snooping etc.? This could sometimes cause
> > > problems, so
> > > > disable any security feature (if present) and try.
> > > >
> > > > Also don't forget to assign the management ip-address, it is
> > > important.
> > > >
> > > > Regards
> > > >
> > > > Farrukh
> > > >
> > > > On 4/12/07, Farrukh Haroon < farrukhharoon@gmail.com> wrote:
> > > > >
> > > > > Hello Gustavo
> > > > >
> > > > > This is not true, the ASA does not 'participate' in Multicast
> > > while
> > > in
> > > > > transparent mode, but it *does* let multicast traffic to pass
> > > through it as
> > > > > long as the ACLs are properly configured
> > > > >
> > > > > Regards
> > > > >
> > > > > Farrukh
> > > > >
> > > > > On 4/12/07, Gustavo Novais < gustavo.novais@novabase.pt> wrote:
> > > > > >
> > > > > > If, as Anthony said, ASA does not support multicast... how about
> > >
> > > using
> > > > > > a NBMA
> > > > > > or point to-multipoint non-broadcast ospf network type betwen
> > > your
> > > two
> > > > > > routers? If the updates are sent as unicast... you might get
> > > there...
> > > > > >
> > > > > > HTH
> > > > > >
> > > > > > Gustavo Novais
> > > > > >
> > > > > > ________________________________
> > > > > >
> > > > > > De: nobody@groupstudy.com em nome de nem chua
> > > > > > Enviada: qui 12-04-2007 4:57
> > > > > > Para: Marvin Greenlee
> > > > > > Cc: Cisco certification
> > > > > > Assunto: Re: OSPF over ASA transparent mode
> > > > > >
> > > > > >
> > > > > >
> > > > > > Yep, I tried that to, but no go.
> > > > > >
> > > > > > I'll try to get that config and send it tomorrow.
> > > > > >
> > > > > > Thanks all.
> > > > > >
> > > > > >
> > > > > > On 4/11/07, Marvin Greenlee < marvin@ipexpert.com> wrote:
> > > > > > >
> > > > > > > You need to permit it on the inside as well. Non TCP/UDP
> > > traffic
> > > > > > (like
> > > > > > > EIGRP or OSPF) can be permitted with an access list.
> > > > > > >
> > > > > > > Add an ACL to the inside interface with a permit IP any any or
> > > > > > permit ospf
> > > > > > > any any and see what happens.
> > > > > > >
> > > > > > > Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
> > > > > > > Senior Technical Instructor - IPexpert, Inc.
> > > > > > > "When Will You Be an IP Expert?"
> > > > > > > marvin@ipexpert.com
> > > > > > > http://www.IPexpert.com <http://www.ipexpert.com/><http://www.ipexpert.com/
> > > >
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: nobody@groupstudy.com [mailto: nobody@groupstudy.com] On
> > > > > > Behalf Of
> > > > > > > nem
> > > > > > > chua
> > > > > > > Sent: Wednesday, April 11, 2007 9:08 PM
> > > > > > > To: anthony.sequeira@thomson.com
> > > > > > > Cc: Cisco certification
> > > > > > > Subject: Re: OSPF over ASA transparent mode
> > > > > > >
> > > > > > > Hi, thank you everyone for responding to my email.
> > > > > > >
> > > > > > > Anthony, now this is interesting, each interface must be in a
> > > > > > seperate
> > > > > > > vlan? So according to the drawing, I'm assuming each
> > > interface
> > > on
> > > > > > the
> > > > > > > external and internal 3750 has to be a seperate vlan???
> > > > > > >
> > > > > > > In ASA transparent mode, I thought the entire network should
> > > be
> > > one
> > > > > > vlan
> > > > > > > and
> > > > > > > one subnet because the firewall is like a bridge between the
> > > 3750
> > > > > > outside
> > > > > > > and inside, why would I want to use seperate vlan on each 3750
> > >
> > > link?
> > > > > >
> > > > > > >
> > > > > > > Everything else I tried. The mtu are at the default 1500
> > > bytes.
> > > I
> > > > > > > created
> > > > > > > access list and applied it to the external interface to allow
> > > ip
> > > any
> > > > > > to
> > > > > > > any,
> > > > > > > still no go. From the debugs it looks like the inside
> > > switches
> > > sees
> > > > > > the
> > > > > > > hellos coming from the outside, and have those neighbors in
> > > INIT
> > > > > > state.
> > > > > > > However the external switch does not see any hello coming from
> > >
> > > the
> > > > > > > internal
> > > > > > > switch.
> > > > > > >
> > > > > > > Thanks much.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > 3750 external switch -----------vlan10----------------3750
> > > external
> > > > > > > switch
> > > > > > >
> > > > > > |
> > > |
> > > > > > > vlan
> > > > > >
> > > 10 vlan
> > > > > > > 10
> > > > > > >
> > > > > > |
> > > |
> > > > > > > ASA firewall--------------Failover--------------- ASA
> > > > > > Firewall
> > > > > > >
> > > > > > |
> > > |
> > > > > > > vlan 10
> > > > > > vlan
> > > > > > > 10
> > > > > > >
> > > > > > |
> > > |
> > > > > > > 3750 internal switch--------------vlan 10----------------3750
> > > > > > internal
> > > > > > > switch
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On 4/11/07, anthony.sequeira@thomson.com
> > > < anthony.sequeira@thomson.com>
> > > > > > > wrote:
> > > > > > > >
> > > > > > > > Errr - I just realized I might have answered too quickly
> > > here
> > > and
> > > > > > not
> > > > > > > > read your original post closely enough....
> > > > > > > >
> > > > > > > > It sounds like you want OSPF traffic to pass THROUGH the
> > > > > > Transparent
> > > > > > > > Firewall. This should be permitted as long as your Extended
> > > ACL
> > > > > > provides
> > > > > > > > the appropriate permissions.
> > > > > > > >
> > > > > > > > So I would check your ACL carefully - and then check your
> > > > > > guidelines on
> > > > > > > > Transparent Firewalling:
> > > > > > > >
> > > > > > > > * Each directly connected network must be on the same subnet
> > > > > > > > * A management IP address is required and must be on the
> > > same
> > > > > > subnet
> > > > > > > > * Each interface must be a different VLAN interface
> > > > > > > >
> > > > > > > > Anthony J. Sequeira
> > > > > > > > #15626
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: nobody@groupstudy.com [mailto: nobody@groupstudy.com ]
> > > On
> > > > > > Behalf Of
> > > > > > > > Sequeira, Anthony (NETg)
> > > > > > > > Sent: Wednesday, April 11, 2007 5:35 PM
> > > > > > > > To: nemthuduc@gmail.com ; ccielab@groupstudy.com
> > > > > > > > Subject: RE: OSPF over ASA transparent mode
> > > > > > > >
> > > > > > > > The following features are not supported in Transparent
> > > Mode:
> > > > > > > >
> > > > > > > > * DYNAMIC ROUTING PROTOCOLS
> > > > > > > > * NAT
> > > > > > > > * IPv6
> > > > > > > > * DHCP Relay
> > > > > > > > * QoS
> > > > > > > > * Multicast
> > > > > > > > * VPN Termination for Through Traffic
> > > > > > > >
> > > > > > > > Anthony J Sequeira
> > > > > > > > #15626
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: nobody@groupstudy.com [mailto: nobody@groupstudy.com ]
> > > On
> > > > > > Behalf Of
> > > > > > > > nem chua
> > > > > > > > Sent: Wednesday, April 11, 2007 4:55 PM
> > > > > > > > To: Cisco certification
> > > > > > > > Subject: OSPF over ASA transparent mode
> > > > > > > >
> > > > > > > > Hello,
> > > > > > > >
> > > > > > > > Anyone ran this before? When I had the asa firewall run
> > > ospf
> > > it
> > > > > > works
> > > > > > > > fine. I tried running asa firewall in transparent mode,
> > > > > > access-list
> > > > > > > > wide
> > > > > > > > open for ip any any, and ospf any any. All traffic pass
> > > fine,
> > > but
> > > > > > ospf
> > > > > > > > will
> > > > > > > > not form an adjacency and stuck in INIT state. If I plug
> > > the
> > > > > > router on
> > > > > > > > each
> > > > > > > > end directly, bypassing the firewall it works fine. Any
> > > idea?
> > > > > > > >
> > > > > > > >
> > > > > >
> > >
> > > _______________________________________________________________________
> > > > > > > > Subscription information may be found at:
> > > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > > > >
> > > > > > > >
> > > > > >
> > > _______________________________________________________________________
> > >
> > > > > > > > Subscription information may be found at:
> > > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > > >
> > > > > > >
> > > > > >
> > >
> > > _______________________________________________________________________
> > > > > > > Subscription information may be found at:
> > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > >
> > > > > >
> > >
> > > _______________________________________________________________________
> > > > > >
> > > > > > Subscription information may be found at:
> > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > >
> > > > > >
> > > _______________________________________________________________________
> > >
> > > > > >
> > > > > > Subscription information may be found at:
> > > > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > > _______________________________________________________________________
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART