Re: OSPF Troubleshooting Question

From: Michael Whittle (mgwhittle@gmail.com)
Date: Thu Jul 03 2008 - 10:13:05 ART

• Next message: Gregory Gombas: "Re: Salary Question Again!"
• Previous message: Alexandre Ribeiro: "Re: Reflexive ACLs"
• Maybe in reply to: Michael Whittle: "OSPF Troubleshooting Question"
• Next in thread: Luan Nguyen: "Re: OSPF Troubleshooting Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Marco,

I'm not running VRF-lite. The ASA doesn't have any VRF's configured on it.
The MPLS VPN stops at the PE with the VLAN sub-interfaces facing the ASA.

This is the relevant ASA config:

interface Ethernet0/1
 speed 100
 duplex full
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1.704
 vlan 704
 nameif vc-vpn1
 security-level 85
 ip address 87.85.32.34 255.255.255.252
 ospf cost 10
 ospf priority 0
 ospf message-digest-key 1 md5 <removed>
 ospf authentication message-digest
!
router ospf 1
 router-id 87.85.62.1
 network 87.85.32.32 255.255.255.252 area 0
 log-adj-changes
 redistribute connected subnets
 redistribute static subnets
 default-information originate
!

This is the relevant PE config:

interface GigabitEthernet1/48
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 speed 1000
 duplex full
 no cdp enable
!
interface GigabitEthernet1/48.704
 encapsulation dot1Q 704
 ip vrf forwarding VC-VPN1
 ip address 87.85.32.33 255.255.255.252
 no ip unreachables
 no ip proxy-arp
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 <removed>
 no cdp enable
!
router ospf 4 vrf VC-VPN1
 router-id 87.85.32.33
 log-adjacency-changes
 redistribute maximum-prefix 100
 redistribute bgp 64512 metric 1 subnets route-map VC-VPN1_BGP->OSPF
 network 87.85.32.33 0.0.0.0 area 0
 distribute-list prefix OSPF_ASA->PE-ALL in GigabitEthernet1/48.704
!
route-map VC-VPN1_BGP->OSPF permit 10
 match ip address prefix-list VC-VPN1_BGP->OSPF
!
ip prefix-list VC-VPN1_BGP->OSPF seq 5 permit 87.83.252.128/28
ip prefix-list VC-VPN1_BGP->OSPF seq 10 permit 87.83.252.160/28
ip prefix-list VC-VPN1_BGP->OSPF seq 15 permit 87.83.252.192/28
!
ip prefix-list OSPF_ASA->PE-ALL seq 5 permit 87.83.255.192/28
ip prefix-list OSPF_ASA->PE-ALL seq 10 permit 87.83.62.224/28
ip prefix-list OSPF_ASA->PE-ALL seq 15 permit 87.83.62.240/28
ip prefix-list OSPF_ASA->PE-ALL seq 20 permit 87.83.62.0/26
ip prefix-list OSPF_ASA->PE-ALL seq 25 permit 0.0.0.0/0
!
router bgp 64512
 address-family ipv4 vrf VC-VPN1
  no synchronization
  redistribute ospf 4 vrf VC-VPN1 route-map OSPF->BGP-ALL
  default-information originate
 exit-address-family
!
route-map OSPF->BGP-ALL permit 10
 set local-preference 100
 set weight 0
 set community 11:11
!

---
Routing Table: VC-VPN1
Routing entry for 87.83.252.128/28
  Known via "bgp 64512", distance 200, metric 10000
  Tag 64513, type internal
  Redistributing via ospf 4
  Advertised by ospf 4 metric 1 subnets route-map VC-VPN1_BGP->OSPF
  Last update from 89.200.128.138 7w0d ago
  Routing Descriptor Blocks:
  * 89.200.128.138 (default), from 87.86.74.4, 7w0d ago
      Route metric is 10000, traffic share count is 1
      AS Hops 0
      Route tag 64513
      MPLS Required
GigabitEthernet1/48.704 is up, line protocol is up (connected)
  Internet Address 87.85.32.33/30, Area 0
  Process ID 4, Router ID 87.85.32.33, Network Type BROADCAST, Cost: 1
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           1         no          no            Base
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 87.85.32.33, Interface address 87.85.32.33
  No backup designated router on this network
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:09
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 39
  Last flood scan time is 0 msec, maximum is 4 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 87.85.62.1
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled
    Youngest key id is 1
Neighbor ID     Pri   State           Dead Time   Address         Interface
87.85.62.1        0   FULL/DROTHER    00:00:33    87.85.32.34
GigabitEthernet1/48.704
---
I have a few VPN's configured like this and they are all working. This is
the only one that's having a problem. It's working now but only because I'm
routing the 3 routes back to the PE from the ASA. If I don't do that the 3
routes exist and then are removed in about 10 second cycles. I can't see why
this is happening.
Thanks for your help.
Cheers,
Mike
On Thu, Jul 3, 2008 at 12:43 AM, Marko Milivojevic <markom@markom.info>
wrote:
> A wild shot in the dark here... On that router that is experiencing
> problems, are you perhaps running this OSPF in a VRF (VRF-lite)?
>
> To do more precise troubleshooting, interface and router process
> configurations would be needed. Show ip route, show ip ospf nei, show
> ip ospf int, etc. would certainly help, too.
>
> On Wed, Jul 2, 2008 at 8:38 PM, Michael Whittle <mgwhittle@gmail.com>
> wrote:
> > Hi all,
> >
> > I wonder if you can help me.
> >
> > I have an OSPF problem and a little stuck. I have an MPLS network with
> > multiple spoke VPN's. I have a Cisco ASA5510 connected to a PE with a
> trunk.
> > Each VPN connects on it's own VLAN. Each connection between the ASA and
> the
> > PE is running OSPF area 0. The ASA only advertises a default route and a
> > couple of other routes to each MPLS VPN spoke. The spokes only advertise
> > their BGP routes into OSPF using a route-map to filter. Each connection
> to
> > the ASA is configured the same way and it's working perfectly except for
> one
> > of them.
> >
> > For some reason the ASA is seeing routes flapping on one of them when the
> > configurations are identical and everything is shared. It seems to go in
> > about a 10 second interval. All routes received, then all routes lost. At
> > first I thought it must be a routing loop but usually when this happens
> you
> > would see the routes changing rather than flapping. OSPF is stable and
> the
> > neighbor is up. I'm not seeing anything nasty in the logs. If I add
> static
> > routes on the ASA towards the VPN then it's stable so that rules out the
> BGP
> > routes having issues. My question is what could cause this sort of
> behavior
> > where the routes appear and disappear in cycles like this? Is there
> anything
> > I can check or any useful debugs I can try? I tried "debug ip ospf adj",
> > "debug ip ospf spf" and "debug ip ospf events" and none of them show
> > anything useful.
> >
> > I would have thought if there was a problem with OSPF the adjacency would
> be
> > flapping as well. If it was a routing loop surely I wouldn't see the
> route
> > leave all together just the next-hop be updated by other device. So I'm
> just
> > trying to work out what else it could be. I would really appreciate some
> > tips on what I could try.
> >
> > Thanks in advance.
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Gregory Gombas: "Re: Salary Question Again!"
• Previous message: Alexandre Ribeiro: "Re: Reflexive ACLs"
• Maybe in reply to: Michael Whittle: "OSPF Troubleshooting Question"
• Next in thread: Luan Nguyen: "Re: OSPF Troubleshooting Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:53 ART