RE: ASA FW blocking OSPF packet

I put the command on outside interface of router ip ospf mtu-ignored then
OSPF is up and running .
thanks for your kind help
Sameer

Date: Mon, 18 Oct 2010 10:21:55 +0300
Subject: Re: ASA FW blocking OSPF packet
From: edwardjohn2020_at_googlemail.com
To: i_sameer_at_hotmail.com
CC: baker.garry_at_gmail.com; ccielab_at_groupstudy.com

Neighbor Down: Too many retransmissions - I will doubt on MTU?Did you check
MTU already?
Regards,John
On Mon, Oct 18, 2010 at 9:35 AM, sameer inam <i_sameer_at_hotmail.com> wrote:

please see below the OSPF nei details from router

Router#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

10.0.255.1 200 EXSTART/DR 00:01:56 192.168.253.1 Tunnel1

Router#

*Oct 18 06:24:54.383: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.255.1 on Tunnel1

from EXSTART to DOWN, Neighbor Down: Too many retransmissions

*Oct 18 06:25:54.383: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.255.1 on Tunnel1

from DOWN to DOWN, Neighbor Down: Ignore timer expired

Date: Sun, 17 Oct 2010 16:31:32 -0500

Subject: Re: ASA FW blocking OSPF packet

From: baker.garry_at_gmail.com

To: i_sameer_at_hotmail.com

CC: ccielab_at_groupstudy.com

when the ASA is not there the tunnel int shows a neighbor?

seems that the ospf adj should be over the tunnel, and the ASA will pass

everything that goes through the tunnel

what is the neighbor that comes up without the ASA in the front or middle of

the adj i assume would be the case

can you show the show ip ospf int br and show ip ospf neigh before and after?

i am just not seeing how the ASA comes into play if the ospf is really going

over the tunnel

--
Garry L. Baker
"There is no 'patch' for stupidity." - www.sqlsecurity.com
On Sun, Oct 17, 2010 at 1:44 PM, sameer inam <i_sameer_at_hotmail.com> wrote:
yes  ospf on GRE tunnel interface , problem is there no Ospf activity on
router after depoying the ASA , if I removed the ASA font of the router then
OSPF bring up . please  see belwo the configuration of router
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cxxxx.xxx address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac
!
crypto ipsec profile CISCO
 set transform-set dmvpnset
!
!
!
!
interface Loopback1
 ip address 10.0.255.3 255.255.255.255
 load-interval 30
!
interface Tunnel1
 description
 ip address 192.168.xxx.xx 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication dmvpn
 ip nhrp map multicast dynamic
 ip nhrp map multicast 193.xxx.xxx.xx
 ip nhrp map 192.168.xxx.xx 193.xx.xxx.xx
 ip nhrp network-id 99
 ip nhrp holdtime 300
 ip nhrp nhs 192.168.253.1
 no ip route-cache cef
 ip route-cache flow
 ip tcp adjust-mss 1360
 ip ospf network broadcast
 ip ospf hello-interval 30
 ip ospf priority 0
 load-interval 30
 qos pre-classify
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel path-mtu-discovery
 tunnel protection ipsec profile CISCO
 service-policy output BRANCH-LAN
!
interface FastEthernet0/0
 description
 ip address xx.xx.xx.xx 255.255.x.xxx
 ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache flow
load-interval 30
duplex auto
speed auto
nterface FastEthernet0/1
ip address 10.0.xx.xx 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly max-reassemblies 30
ip route-cache flow
load-interval 30
duplex auto
speed auto
outer ospf 1
router-id 10.0.255.3
log-adjacency-changes
area 108 nssa no-summary
network 10.0.xx.xx. 0.0.0.0 area 108
network 10.0.xxx.xx 0.0.0.0 area 108
network 192.168.xx.xx 0.0.0.0 area 108
Date: Sun, 17 Oct 2010 13:21:14 -0500
Subject: Re: ASA FW blocking OSPF packet
From: baker.garry_at_gmail.com
To: i_sameer_at_hotmail.com
CC: ccielab_at_groupstudy.com
will need to see more about your configs and/or simple diagram maybe, do you
have ospf on the tunnel interface?
if so what is the neighbor state?
do you have connectivity to the ospf neighbor/neighbors?
--
Garry L. Baker
"There is no 'patch' for stupidity." - www.sqlsecurity.com
On Sun, Oct 17, 2010 at 1:03 PM, sameer inam <i_sameer_at_hotmail.com> wrote:
running OPSF over the dmvpn ipsec tunnel.
Date: Sun, 17 Oct 2010 11:06:26 -0500
Subject: Re: ASA FW blocking OSPF packet
From: baker.garry_at_gmail.com
To: i_sameer_at_hotmail.com
CC: ccielab_at_groupstudy.com
are you trying to peer with the cisco router as an ospf adj or run ospf over
the dmvpn ipsec tunnel?
--
Garry L. Baker
"There is no 'patch' for stupidity." - www.sqlsecurity.com
On Sun, Oct 17, 2010 at 10:55 AM, sameer inam <i_sameer_at_hotmail.com> wrote:
Hello Expert,
I m trying to install ASA 5505  facing ISP using /30 ip subnet and inside
port
connected to Cisco router with public /29 IP subnet . On router we have
configured DMVPN . issue is Ipsec  works Fine but OSPF on cisco router is not
up after installing the ASA , do you  guys have any idea how I can fix this
issue ?
Note : There is noting  configured on ASA its just having two public IP
addreses. /30 and /29
kInd regards,
Sameer
Blogs and organic groups at http://www.ccie.net