From: Luan Nguyen (luan.m.nguyen@gmail.com)
Date: Thu Jul 03 2008 - 11:28:35 ART
What does your BGP RIB look like?
Does the PE spit out any log messages? Could it be the BGP withdraw those
routes causing OSPF flapping?
-Luan
On Thu, Jul 3, 2008 at 9:13 AM, Michael Whittle <mgwhittle@gmail.com> wrote:
> Hi Marco,
>
> I'm not running VRF-lite. The ASA doesn't have any VRF's configured on it.
> The MPLS VPN stops at the PE with the VLAN sub-interfaces facing the ASA.
>
> This is the relevant ASA config:
>
> interface Ethernet0/1
> speed 100
> duplex full
> no nameif
> no security-level
> no ip address
> !
> interface Ethernet0/1.704
> vlan 704
> nameif vc-vpn1
> security-level 85
> ip address 87.85.32.34 255.255.255.252
> ospf cost 10
> ospf priority 0
> ospf message-digest-key 1 md5 <removed>
> ospf authentication message-digest
> !
> router ospf 1
> router-id 87.85.62.1
> network 87.85.32.32 255.255.255.252 area 0
> log-adj-changes
> redistribute connected subnets
> redistribute static subnets
> default-information originate
> !
>
> This is the relevant PE config:
>
> interface GigabitEthernet1/48
> no ip address
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> speed 1000
> duplex full
> no cdp enable
> !
> interface GigabitEthernet1/48.704
> encapsulation dot1Q 704
> ip vrf forwarding VC-VPN1
> ip address 87.85.32.33 255.255.255.252
> no ip unreachables
> no ip proxy-arp
> ip ospf authentication message-digest
> ip ospf message-digest-key 1 md5 <removed>
> no cdp enable
> !
> router ospf 4 vrf VC-VPN1
> router-id 87.85.32.33
> log-adjacency-changes
> redistribute maximum-prefix 100
> redistribute bgp 64512 metric 1 subnets route-map VC-VPN1_BGP->OSPF
> network 87.85.32.33 0.0.0.0 area 0
> distribute-list prefix OSPF_ASA->PE-ALL in GigabitEthernet1/48.704
> !
> route-map VC-VPN1_BGP->OSPF permit 10
> match ip address prefix-list VC-VPN1_BGP->OSPF
> !
> ip prefix-list VC-VPN1_BGP->OSPF seq 5 permit 87.83.252.128/28
> ip prefix-list VC-VPN1_BGP->OSPF seq 10 permit 87.83.252.160/28
> ip prefix-list VC-VPN1_BGP->OSPF seq 15 permit 87.83.252.192/28
> !
> ip prefix-list OSPF_ASA->PE-ALL seq 5 permit 87.83.255.192/28
> ip prefix-list OSPF_ASA->PE-ALL seq 10 permit 87.83.62.224/28
> ip prefix-list OSPF_ASA->PE-ALL seq 15 permit 87.83.62.240/28
> ip prefix-list OSPF_ASA->PE-ALL seq 20 permit 87.83.62.0/26
> ip prefix-list OSPF_ASA->PE-ALL seq 25 permit 0.0.0.0/0
> !
> router bgp 64512
> address-family ipv4 vrf VC-VPN1
> no synchronization
> redistribute ospf 4 vrf VC-VPN1 route-map OSPF->BGP-ALL
> default-information originate
> exit-address-family
> !
> route-map OSPF->BGP-ALL permit 10
> set local-preference 100
> set weight 0
> set community 11:11
> !
>
> ---
>
> Routing Table: VC-VPN1
> Routing entry for 87.83.252.128/28
> Known via "bgp 64512", distance 200, metric 10000
> Tag 64513, type internal
> Redistributing via ospf 4
> Advertised by ospf 4 metric 1 subnets route-map VC-VPN1_BGP->OSPF
> Last update from 89.200.128.138 7w0d ago
> Routing Descriptor Blocks:
> * 89.200.128.138 (default), from 87.86.74.4, 7w0d ago
> Route metric is 10000, traffic share count is 1
> AS Hops 0
> Route tag 64513
> MPLS Required
>
> GigabitEthernet1/48.704 is up, line protocol is up (connected)
> Internet Address 87.85.32.33/30, Area 0
> Process ID 4, Router ID 87.85.32.33, Network Type BROADCAST, Cost: 1
> Topology-MTID Cost Disabled Shutdown Topology Name
> 0 1 no no Base
> Transmit Delay is 1 sec, State DR, Priority 1
> Designated Router (ID) 87.85.32.33, Interface address 87.85.32.33
> No backup designated router on this network
> Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> oob-resync timeout 40
> Hello due in 00:00:09
> Supports Link-local Signaling (LLS)
> Cisco NSF helper support enabled
> IETF NSF helper support enabled
> Index 1/1, flood queue length 0
> Next 0x0(0)/0x0(0)
> Last flood scan length is 1, maximum is 39
> Last flood scan time is 0 msec, maximum is 4 msec
> Neighbor Count is 1, Adjacent neighbor count is 1
> Adjacent with neighbor 87.85.62.1
> Suppress hello for 0 neighbor(s)
> Message digest authentication enabled
> Youngest key id is 1
>
> Neighbor ID Pri State Dead Time Address Interface
> 87.85.62.1 0 FULL/DROTHER 00:00:33 87.85.32.34
> GigabitEthernet1/48.704
>
> ---
>
> I have a few VPN's configured like this and they are all working. This is
> the only one that's having a problem. It's working now but only because I'm
> routing the 3 routes back to the PE from the ASA. If I don't do that the 3
> routes exist and then are removed in about 10 second cycles. I can't see
> why
> this is happening.
>
> Thanks for your help.
>
> Cheers,
> Mike
>
>
> On Thu, Jul 3, 2008 at 12:43 AM, Marko Milivojevic <markom@markom.info>
> wrote:
>
> > A wild shot in the dark here... On that router that is experiencing
> > problems, are you perhaps running this OSPF in a VRF (VRF-lite)?
> >
> > To do more precise troubleshooting, interface and router process
> > configurations would be needed. Show ip route, show ip ospf nei, show
> > ip ospf int, etc. would certainly help, too.
> >
> > On Wed, Jul 2, 2008 at 8:38 PM, Michael Whittle <mgwhittle@gmail.com>
> > wrote:
> > > Hi all,
> > >
> > > I wonder if you can help me.
> > >
> > > I have an OSPF problem and a little stuck. I have an MPLS network with
> > > multiple spoke VPN's. I have a Cisco ASA5510 connected to a PE with a
> > trunk.
> > > Each VPN connects on it's own VLAN. Each connection between the ASA and
> > the
> > > PE is running OSPF area 0. The ASA only advertises a default route and
> a
> > > couple of other routes to each MPLS VPN spoke. The spokes only
> advertise
> > > their BGP routes into OSPF using a route-map to filter. Each connection
> > to
> > > the ASA is configured the same way and it's working perfectly except
> for
> > one
> > > of them.
> > >
> > > For some reason the ASA is seeing routes flapping on one of them when
> the
> > > configurations are identical and everything is shared. It seems to go
> in
> > > about a 10 second interval. All routes received, then all routes lost.
> At
> > > first I thought it must be a routing loop but usually when this happens
> > you
> > > would see the routes changing rather than flapping. OSPF is stable and
> > the
> > > neighbor is up. I'm not seeing anything nasty in the logs. If I add
> > static
> > > routes on the ASA towards the VPN then it's stable so that rules out
> the
> > BGP
> > > routes having issues. My question is what could cause this sort of
> > behavior
> > > where the routes appear and disappear in cycles like this? Is there
> > anything
> > > I can check or any useful debugs I can try? I tried "debug ip ospf
> adj",
> > > "debug ip ospf spf" and "debug ip ospf events" and none of them show
> > > anything useful.
> > >
> > > I would have thought if there was a problem with OSPF the adjacency
> would
> > be
> > > flapping as well. If it was a routing loop surely I wouldn't see the
> > route
> > > leave all together just the next-hop be updated by other device. So I'm
> > just
> > > trying to work out what else it could be. I would really appreciate
> some
> > > tips on what I could try.
> > >
> > > Thanks in advance.
> >
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:53 ART