ASA active / standby with OSPF to two separate L3 switches

Started by Dieselboy, February 03, 2015, 04:37:30 AM

Previous topic - Next topic

Dieselboy

Whats the tried and tested way of configuring OSPF between a pair of ASA's and layer 3 core switches?

wintermute000

/30 or /29 p2p between both asas (assuming ha pair) and each switch and between switches. Metric to force inferior path to and from the secondary.

SimonV

I'm troubleshooting an issue with an ASA cluster, OSPF peering with two L3 switches in separate locations on one VLAN. So basically, a broadcast VLAN/network.

The ASA is getting the same routes from both neighbours. In the DB, I see the LSAs have the same metric but for some reason the ASA only installs one route in the routing table. Unfortunately it's the one with the least optimal path. Shouldn't the ASA be doing equal-cost loadbalancing by default or is this different on the ASA platform?

deanwebb

Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

SimonV

I am supposing active/passive. They are 5515X's.

If they had two different P2P subnets it would be easy to increase the cost on one and be done with it, but here they are in the same segment so raising the cost on the ASA interface itself would have the same effect on both the routes.

wintermute000

That's exactly why I recommended my approach. Keep us posted with yours as ecmp should be ospf default as you've stated

SimonV

I know, I don't even see a reason why they would need OSPF in this case as the ASA is basically a stub. HSRP on that transit network would do just fine.
But it's a branch site that "manages their own equipment". Their original complaint was bad WAN performance so I'm gathering as much as I can.

Sorry to hijack your thread, Dieselboy, but it's an example of how not to configure it  :)

wintermute000

Check the asa equivalent of show ip cef or the juniper show route forwarding table

Dieselboy

Quote from: wintermute000 on February 03, 2015, 06:00:47 AM
/30 or /29 p2p between both asas (assuming ha pair) and each switch and between switches. Metric to force inferior path to and from the secondary.

Wintermute, I don't think your statement would work at all. For an ASA active/standby setup you need the interfaces on the inside to be able to communicate with each other for monitoring. This will consume 2 IP's. Then if you have 2 core switches this will consume another 2 IP's so a /30 would definitely not work. In any case, I could use a /8 or a /24 - the size of the broadcast domain makes no difference in all honesty.

Quote from: SimonV on February 03, 2015, 08:51:35 AM
I'm troubleshooting an issue with an ASA cluster, OSPF peering with two L3 switches in separate locations on one VLAN. So basically, a broadcast VLAN/network.

The ASA is getting the same routes from both neighbours. In the DB, I see the LSAs have the same metric but for some reason the ASA only installs one route in the routing table. Unfortunately it's the one with the least optimal path. Shouldn't the ASA be doing equal-cost loadbalancing by default or is this different on the ASA platform?

Simon, I have your exact setup but a different issue. I have 2 x ASA5515X's which I've configured OSPF to two separate layer 3 switches. The switches are Nexus and to get around the vPC issue (which I don't think affects the 3000 series nexus anyway), I have a separate port channel between the two Nexus running the VLAN that the ASA's are connected on. So to explain more simply, each ASA inside interface is connected to each switch on VLAN 5. VLAN 5 SVI on the switches should have 2 peers, one to the other switch and one to the primary ASA. I did think that there may be an OSPF peer to the secondary ASA but this is not seen. To allow the ASA's to communicate to each other for the monitoring, VLAN 5 is connected between the switches on a trunk which is not part of the vPC setup. It's 2 cables for cable resilience. So in this setup we can ignore the fact that the switches are Nexus. The two switches are layer 3 devices connected with a link.

What I am seeing is everything working perfect except on one switch, the primary ASA is showing as EXSTART. I ran some debugs and the logs showed that the issue is due to an MTU mismatch. I know for a fact that this is not the case. I checked all layer 3 interfaces on all devices and the MTU is unchanged at 1500. As a test, I put in the ospf mtu ignore and this made no difference at all, which kind of backs up this not being an MTU issue. I then removed the MTU ignore command.

If I shut down the VL5 interface on the primary switch, OSPF will come up to the second switch (where it's currently EXSTART) if I clear the process, so this would say to me the config is fine.

I was thinking over night over this and TBH I don't really need OSPF on the firewalls but it's handy if it's running on them since we're growing quite quickly and there's only me here. But if I cannot isolate this problem for the sake of stability I'll remove OSPF and just use static routes inbound to the HSRP IP. The other benefit of OSPF was the VPN injecting the static routes.

Here's the config:
ASA

interface GigabitEthernet0/2
description INSIDE INTERFACE
mac-address 00a0.c9c0.0501 standby 00a0.c9c0.0502
nameif INSIDE
security-level 100
ip address 192.168.5.4 255.255.255.0 standby 192.168.5.5
ospf hello-interval 1
ospf message-digest-key 1 md5 *****
ospf authentication message-digest

router ospf 1
router-id 192.168.5.4
network 192.168.5.0 255.255.255.0 area 0
log-adj-changes
redistribute static subnets route-map REDIST


SW1

interface Vlan5
  description INTERNAL OSPF NEXUS AND ASA PEER LINKS
  no shutdown
  no ip redirects
  ip address 192.168.5.2/24
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 7 ******
  ip ospf hello-interval 1
  no ip ospf passive-interface
  ip router ospf 1 area 0.0.0.0
  hsrp 249
    preempt delay minimum 60 reload 60
    timers  1  4
    ip 192.168.5.1

router ospf 1
  log-adjacency-changes
  passive-interface default


SW2

interface Vlan5
  description INTERNAL OSPF NEXUS AND ASA PEER LINKS
  no shutdown
  no ip redirects
  ip address 192.168.5.3/24
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 7 *****
  ip ospf cost 10
  ip ospf hello-interval 1
  no ip ospf passive-interface
  ip router ospf 1 area 0.0.0.0
  hsrp 249
    preempt delay minimum 60 reload 60
    priority 90
    timers  1  4
    ip 192.168.5.1

router ospf 1
  log-adjacency-changes
  passive-interface default

Dieselboy

I raised a TAC under the 3048 Nexus
TAC engineer I've dealt with before and he's pretty good. He requested quite lot of information from me, including a diagram to illustrate - took me about 30 mins or so to collect all the logs and show outputs he wanted. Came back to me a few hours later and stated couldn't see anything wrong.
Then we had a webex with an ASA engineer as well and we all agreed there should be no problem with the config. So they're going to lab it up and reproduce. We also collected captures and more debugs.

I think that may be the nexus switch is doing something with the OSPF packet as it traverses the port-channel, although it shouldn't be. It only decrements the TTL when going across the vPC link and there is definitely no vPC involved.

I'll let you know what TAC says.

wintermute000

my mistake, too many routers and not enough fw work over the last year, forgot the HA clustering its one virtual unit with a floating ip.

When you say nexus vPC link are you referring to the vPC peer link? and you're excluding VLAN5 from the peer link trunk?

deanwebb

Static routes FTW on a HA link. You don't want to have the devices go into a failover fugue state because a route update goes awry.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

AnthonyC

Quote from: Dieselboy on February 03, 2015, 08:31:42 PM
In any case, I could use a /8 or a /24 - the size of the broadcast domain makes no difference in all honesty.

It can matter if you work for a big organization and you are running out of RFC1918 IP address; I would fire someone who waste a /8.
"It can also be argued that DNA is nothing more than a program designed to preserve itself. Life has become more complex in the overwhelming sea of information. And life, when organized into species, relies upon genes to be its memory system."

deanwebb

Quote from: AnthonyC on February 04, 2015, 10:59:01 AM
Quote from: Dieselboy on February 03, 2015, 08:31:42 PM
In any case, I could use a /8 or a /24 - the size of the broadcast domain makes no difference in all honesty.

It can matter if you work for a big organization and you are running out of RFC1918 IP address; I would fire someone who waste a /8.

Indeed. Big companies treat IP addresses like the last few drops of fuel in a Mad Max movie.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

#14
Quote from: wintermute000 on February 04, 2015, 02:16:01 AM
my mistake, too many routers and not enough fw work over the last year, forgot the HA clustering its one virtual unit with a floating ip.

When you say nexus vPC link are you referring to the vPC peer link? and you're excluding VLAN5 from the peer link trunk?

:)
Yes exactly that. the vPC peer link decrements the TTL so when OSPF hello's are sent by the ASA, the second switch wont form an OSPF relationship with the ASA if the hello comes across the vPC link. So to get around this, I did the following (I knew this initially so I planned it this way):

1. create VLAN 5
2. connect 2 additional links between the switches and form port-channel 6
3. Po6 has switchport trunk allowed vlan 5
4. connect the ASA primary and secondary inside interfaces into switchport access VLAN 5 on the switch

The above should have worked fine. however both switches would not form OSPF.

Now, the new problem: there's no ospf at all, there's no Po6 at all. VLAN 5 is now on Po1 which is the vPC peer link. As there's no ospf this is fine.
HSRP is in use on VLAN 5 so the ASA can route back to the network.
Static default route from the core pointing to the ASA primary address.

When I ping the standby ASA I never get a reply. I did a ping from the second switch and it's fine. If I source from example VLAN 10 I do not get a reply.

I ran some captures and the ASA receives the ping. It's reply is targeted for the HSRP address which is switch 1. Switch 1 somehow doesn't forward it to the second switch. I put a workaround in place which is to enable ip redirects on vlan 5.

Waiting for TAC's response. May be there's a bug in the nexus code which is causing these probs.

Quote from: deanwebb on February 04, 2015, 08:35:24 AM
Static routes FTW on a HA link. You don't want to have the devices go into a failover fugue state because a route update goes awry.

I thought exactly this when I did my testing and lost all access to the internet because OSPF screwed up. I gave TAC the day to come to me with why this was failing and they didn't know and still don't. So I had no second thought about stripping out OSPF. I don't like the risk. TBH it's more configuration to have OSPF running there. I Removed the OSPF config and it's replaced with 3 static routes and 2 prefix lists in a route map to be redistributed.

Quote from: AnthonyC on February 04, 2015, 10:59:01 AM
It can matter if you work for a big organization and you are running out of RFC1918 IP address; I would fire someone who waste a /8.

Ahh but then you're talking about policy, best practice and specific requirements based on an audit or documentation. I'm talking technically about a technical function. I would laugh if I ever saw a /8 actually used in a design in that manner.