From: Michael Whittle (mgwhittle@gmail.com)
Date: Fri Jul 04 2008 - 10:39:08 ART
The BGP RIP looks fine. I have added static routes on the ASA toward the PE
and it's stable. If I was having problems with BGP then I would still be
getting outages every few seconds. The issue has something do with with OSPF
or the redistribution. I'm just a little stumped what it could be.
On Thu, Jul 3, 2008 at 3:28 PM, Luan Nguyen <luan.m.nguyen@gmail.com> wrote:
> What does your BGP RIB look like?
> Does the PE spit out any log messages? Could it be the BGP withdraw those
> routes causing OSPF flapping?
>
> -Luan
>
>
>
> On Thu, Jul 3, 2008 at 9:13 AM, Michael Whittle <mgwhittle@gmail.com>
> wrote:
>
>> Hi Marco,
>>
>> I'm not running VRF-lite. The ASA doesn't have any VRF's configured on it.
>> The MPLS VPN stops at the PE with the VLAN sub-interfaces facing the ASA.
>>
>> This is the relevant ASA config:
>>
>> interface Ethernet0/1
>> speed 100
>> duplex full
>> no nameif
>> no security-level
>> no ip address
>> !
>> interface Ethernet0/1.704
>> vlan 704
>> nameif vc-vpn1
>> security-level 85
>> ip address 87.85.32.34 255.255.255.252
>> ospf cost 10
>> ospf priority 0
>> ospf message-digest-key 1 md5 <removed>
>> ospf authentication message-digest
>> !
>> router ospf 1
>> router-id 87.85.62.1
>> network 87.85.32.32 255.255.255.252 area 0
>> log-adj-changes
>> redistribute connected subnets
>> redistribute static subnets
>> default-information originate
>> !
>>
>> This is the relevant PE config:
>>
>> interface GigabitEthernet1/48
>> no ip address
>> no ip redirects
>> no ip unreachables
>> no ip proxy-arp
>> speed 1000
>> duplex full
>> no cdp enable
>> !
>> interface GigabitEthernet1/48.704
>> encapsulation dot1Q 704
>> ip vrf forwarding VC-VPN1
>> ip address 87.85.32.33 255.255.255.252
>> no ip unreachables
>> no ip proxy-arp
>> ip ospf authentication message-digest
>> ip ospf message-digest-key 1 md5 <removed>
>> no cdp enable
>> !
>> router ospf 4 vrf VC-VPN1
>> router-id 87.85.32.33
>> log-adjacency-changes
>> redistribute maximum-prefix 100
>> redistribute bgp 64512 metric 1 subnets route-map VC-VPN1_BGP->OSPF
>> network 87.85.32.33 0.0.0.0 area 0
>> distribute-list prefix OSPF_ASA->PE-ALL in GigabitEthernet1/48.704
>> !
>> route-map VC-VPN1_BGP->OSPF permit 10
>> match ip address prefix-list VC-VPN1_BGP->OSPF
>> !
>> ip prefix-list VC-VPN1_BGP->OSPF seq 5 permit 87.83.252.128/28
>> ip prefix-list VC-VPN1_BGP->OSPF seq 10 permit 87.83.252.160/28
>> ip prefix-list VC-VPN1_BGP->OSPF seq 15 permit 87.83.252.192/28
>> !
>> ip prefix-list OSPF_ASA->PE-ALL seq 5 permit 87.83.255.192/28
>> ip prefix-list OSPF_ASA->PE-ALL seq 10 permit 87.83.62.224/28
>> ip prefix-list OSPF_ASA->PE-ALL seq 15 permit 87.83.62.240/28
>> ip prefix-list OSPF_ASA->PE-ALL seq 20 permit 87.83.62.0/26
>> ip prefix-list OSPF_ASA->PE-ALL seq 25 permit 0.0.0.0/0
>> !
>> router bgp 64512
>> address-family ipv4 vrf VC-VPN1
>> no synchronization
>> redistribute ospf 4 vrf VC-VPN1 route-map OSPF->BGP-ALL
>> default-information originate
>> exit-address-family
>> !
>> route-map OSPF->BGP-ALL permit 10
>> set local-preference 100
>> set weight 0
>> set community 11:11
>> !
>>
>> ---
>>
>> Routing Table: VC-VPN1
>> Routing entry for 87.83.252.128/28
>> Known via "bgp 64512", distance 200, metric 10000
>> Tag 64513, type internal
>> Redistributing via ospf 4
>> Advertised by ospf 4 metric 1 subnets route-map VC-VPN1_BGP->OSPF
>> Last update from 89.200.128.138 7w0d ago
>> Routing Descriptor Blocks:
>> * 89.200.128.138 (default), from 87.86.74.4, 7w0d ago
>> Route metric is 10000, traffic share count is 1
>> AS Hops 0
>> Route tag 64513
>> MPLS Required
>>
>> GigabitEthernet1/48.704 is up, line protocol is up (connected)
>> Internet Address 87.85.32.33/30, Area 0
>> Process ID 4, Router ID 87.85.32.33, Network Type BROADCAST, Cost: 1
>> Topology-MTID Cost Disabled Shutdown Topology Name
>> 0 1 no no Base
>> Transmit Delay is 1 sec, State DR, Priority 1
>> Designated Router (ID) 87.85.32.33, Interface address 87.85.32.33
>> No backup designated router on this network
>> Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
>> oob-resync timeout 40
>> Hello due in 00:00:09
>> Supports Link-local Signaling (LLS)
>> Cisco NSF helper support enabled
>> IETF NSF helper support enabled
>> Index 1/1, flood queue length 0
>> Next 0x0(0)/0x0(0)
>> Last flood scan length is 1, maximum is 39
>> Last flood scan time is 0 msec, maximum is 4 msec
>> Neighbor Count is 1, Adjacent neighbor count is 1
>> Adjacent with neighbor 87.85.62.1
>> Suppress hello for 0 neighbor(s)
>> Message digest authentication enabled
>> Youngest key id is 1
>>
>> Neighbor ID Pri State Dead Time Address
>> Interface
>> 87.85.62.1 0 FULL/DROTHER 00:00:33 87.85.32.34
>> GigabitEthernet1/48.704
>>
>> ---
>>
>> I have a few VPN's configured like this and they are all working. This is
>> the only one that's having a problem. It's working now but only because
>> I'm
>> routing the 3 routes back to the PE from the ASA. If I don't do that the 3
>> routes exist and then are removed in about 10 second cycles. I can't see
>> why
>> this is happening.
>>
>> Thanks for your help.
>>
>> Cheers,
>> Mike
>>
>>
>> On Thu, Jul 3, 2008 at 12:43 AM, Marko Milivojevic <markom@markom.info>
>> wrote:
>>
>> > A wild shot in the dark here... On that router that is experiencing
>> > problems, are you perhaps running this OSPF in a VRF (VRF-lite)?
>> >
>> > To do more precise troubleshooting, interface and router process
>> > configurations would be needed. Show ip route, show ip ospf nei, show
>> > ip ospf int, etc. would certainly help, too.
>> >
>> > On Wed, Jul 2, 2008 at 8:38 PM, Michael Whittle <mgwhittle@gmail.com>
>> > wrote:
>> > > Hi all,
>> > >
>> > > I wonder if you can help me.
>> > >
>> > > I have an OSPF problem and a little stuck. I have an MPLS network with
>> > > multiple spoke VPN's. I have a Cisco ASA5510 connected to a PE with a
>> > trunk.
>> > > Each VPN connects on it's own VLAN. Each connection between the ASA
>> and
>> > the
>> > > PE is running OSPF area 0. The ASA only advertises a default route and
>> a
>> > > couple of other routes to each MPLS VPN spoke. The spokes only
>> advertise
>> > > their BGP routes into OSPF using a route-map to filter. Each
>> connection
>> > to
>> > > the ASA is configured the same way and it's working perfectly except
>> for
>> > one
>> > > of them.
>> > >
>> > > For some reason the ASA is seeing routes flapping on one of them when
>> the
>> > > configurations are identical and everything is shared. It seems to go
>> in
>> > > about a 10 second interval. All routes received, then all routes lost.
>> At
>> > > first I thought it must be a routing loop but usually when this
>> happens
>> > you
>> > > would see the routes changing rather than flapping. OSPF is stable and
>> > the
>> > > neighbor is up. I'm not seeing anything nasty in the logs. If I add
>> > static
>> > > routes on the ASA towards the VPN then it's stable so that rules out
>> the
>> > BGP
>> > > routes having issues. My question is what could cause this sort of
>> > behavior
>> > > where the routes appear and disappear in cycles like this? Is there
>> > anything
>> > > I can check or any useful debugs I can try? I tried "debug ip ospf
>> adj",
>> > > "debug ip ospf spf" and "debug ip ospf events" and none of them show
>> > > anything useful.
>> > >
>> > > I would have thought if there was a problem with OSPF the adjacency
>> would
>> > be
>> > > flapping as well. If it was a routing loop surely I wouldn't see the
>> > route
>> > > leave all together just the next-hop be updated by other device. So
>> I'm
>> > just
>> > > trying to work out what else it could be. I would really appreciate
>> some
>> > > tips on what I could try.
>> > >
>> > > Thanks in advance.
>> >
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:53 ART