Re: ASA FW blocking OSPF packet

*Neighbor Down: Too many retransmissions -* I will doubt on MTU?
Did you check MTU already?

Regards,
John

On Mon, Oct 18, 2010 at 9:35 AM, sameer inam <i_sameer_at_hotmail.com> wrote:

> please see below the OSPF nei details from router
>
>
> Router#sh ip ospf neighbor
> Neighbor ID Pri State Dead Time Address Interface
> 10.0.255.1 200 EXSTART/DR 00:01:56 192.168.253.1 Tunnel1
> Router#
> *Oct 18 06:24:54.383: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.255.1 on Tunnel1
> from EXSTART to DOWN, Neighbor Down: Too many retransmissions
> *Oct 18 06:25:54.383: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.255.1 on Tunnel1
> from DOWN to DOWN, Neighbor Down: Ignore timer expired
>
>
>
>
>
>
>
>
>
>
> Date: Sun, 17 Oct 2010 16:31:32 -0500
> Subject: Re: ASA FW blocking OSPF packet
> From: baker.garry_at_gmail.com
> To: i_sameer_at_hotmail.com
> CC: ccielab_at_groupstudy.com
>
> when the ASA is not there the tunnel int shows a neighbor?
>
> seems that the ospf adj should be over the tunnel, and the ASA will pass
> everything that goes through the tunnel
>
> what is the neighbor that comes up without the ASA in the front or middle
> of
> the adj i assume would be the case
>
> can you show the show ip ospf int br and show ip ospf neigh before and
> after?
>
> i am just not seeing how the ASA comes into play if the ospf is really
> going
> over the tunnel
>
> --
> Garry L. Baker
>
> "There is no 'patch' for stupidity." - www.sqlsecurity.com
>
>
>
> On Sun, Oct 17, 2010 at 1:44 PM, sameer inam <i_sameer_at_hotmail.com> wrote:
>
>
> yes ospf on GRE tunnel interface , problem is there no Ospf activity on
> router after depoying the ASA , if I removed the ASA font of the router
> then
> OSPF bring up . please see belwo the configuration of router
>
> crypto isakmp policy 10
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key cxxxx.xxx address 0.0.0.0 0.0.0.0
> !
> !
> crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac
> !
> crypto ipsec profile CISCO
> set transform-set dmvpnset
> !
> !
> !
> !
> interface Loopback1
> ip address 10.0.255.3 255.255.255.255
> load-interval 30
> !
> interface Tunnel1
> description
> ip address 192.168.xxx.xx 255.255.255.0
> no ip redirects
> ip mtu 1400
> ip nhrp authentication dmvpn
> ip nhrp map multicast dynamic
> ip nhrp map multicast 193.xxx.xxx.xx
> ip nhrp map 192.168.xxx.xx 193.xx.xxx.xx
> ip nhrp network-id 99
> ip nhrp holdtime 300
> ip nhrp nhs 192.168.253.1
> no ip route-cache cef
> ip route-cache flow
> ip tcp adjust-mss 1360
> ip ospf network broadcast
> ip ospf hello-interval 30
> ip ospf priority 0
> load-interval 30
> qos pre-classify
> tunnel source FastEthernet0/0
> tunnel mode gre multipoint
> tunnel key 100000
> tunnel path-mtu-discovery
> tunnel protection ipsec profile CISCO
> service-policy output BRANCH-LAN
> !
> interface FastEthernet0/0
> description
> ip address xx.xx.xx.xx 255.255.x.xxx
> ip nbar protocol-discovery
>
> ip flow ingress
> ip flow egress
> ip nat outside
> ip virtual-reassembly
> ip route-cache flow
> load-interval 30
> duplex auto
> speed auto
> nterface FastEthernet0/1
> ip address 10.0.xx.xx 255.255.255.0
> ip nbar protocol-discovery
> ip flow ingress
> ip flow egress
> ip nat inside
> ip virtual-reassembly max-reassemblies 30
> ip route-cache flow
> load-interval 30
> duplex auto
> speed auto
> outer ospf 1
> router-id 10.0.255.3
> log-adjacency-changes
> area 108 nssa no-summary
> network 10.0.xx.xx. 0.0.0.0 area 108
> network 10.0.xxx.xx 0.0.0.0 area 108
> network 192.168.xx.xx 0.0.0.0 area 108
>
>
>
>
>
>
>
>
>
> Date: Sun, 17 Oct 2010 13:21:14 -0500
>
>
>
> Subject: Re: ASA FW blocking OSPF packet
> From: baker.garry_at_gmail.com
> To: i_sameer_at_hotmail.com
> CC: ccielab_at_groupstudy.com
>
> will need to see more about your configs and/or simple diagram maybe, do
> you
> have ospf on the tunnel interface?
>
> if so what is the neighbor state?
>
> do you have connectivity to the ospf neighbor/neighbors?
>
> --
> Garry L. Baker
>
> "There is no 'patch' for stupidity." - www.sqlsecurity.com
>
>
>
> On Sun, Oct 17, 2010 at 1:03 PM, sameer inam <i_sameer_at_hotmail.com> wrote:
>
>
> running OPSF over the dmvpn ipsec tunnel.
>
>
>
>
>
>
>
>
>
>
>
> Date: Sun, 17 Oct 2010 11:06:26 -0500
> Subject: Re: ASA FW blocking OSPF packet
> From: baker.garry_at_gmail.com
> To: i_sameer_at_hotmail.com
> CC: ccielab_at_groupstudy.com
>
>
>
>
> are you trying to peer with the cisco router as an ospf adj or run ospf
> over
> the dmvpn ipsec tunnel?
> --
> Garry L. Baker
>
> "There is no 'patch' for stupidity." - www.sqlsecurity.com
>
>
>
> On Sun, Oct 17, 2010 at 10:55 AM, sameer inam <i_sameer_at_hotmail.com>
> wrote:
>
> Hello Expert,
>
> I m trying to install ASA 5505 facing ISP using /30 ip subnet and inside
> port
> connected to Cisco router with public /29 IP subnet . On router we have
> configured DMVPN . issue is Ipsec works Fine but OSPF on cisco router is
> not
> up after installing the ASA , do you guys have any idea how I can fix this
> issue ?
>
>
> Note : There is noting configured on ASA its just having two public IP
> addreses. /30 and /29
>
> kInd regards,
>
> Sameer
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

--
Blogs and organic groups at http://www.ccie.net