Cisco ASA Context, failover, problem z ospf na context.

Problemy z zakresu security (VPN, firewall, IDS/IPS itp.)

Moderatorzy: mikrobi, aron, garfield, gangrena, Seba, Wojtachinho

Wiadomość
Autor
Awatar użytkownika
borostfor
wannabe
wannabe
Posty: 99
Rejestracja: 01 sie 2009, 23:20
Lokalizacja: Festung Breslau

Cisco ASA Context, failover, problem z ospf na context.

#1

#1 Post autor: borostfor » 17 sie 2018, 10:32

Mam dwie asy spiete przez switch uzywajac port-channel. Na ASA odpalone sa contexty oraz na contextach OSPF. Z jakiegos powodu OSPF nie dziala, hello jest wysylane ale druga ASA nie odbiera hello. Akurat te contexty sa na tej samej failover groupie na tej samej ASA.

Konfiguracja switcha

Kod: Zaznacz cały

interface Port-channel47
 description ASA2
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast
 spanning-tree bpdufilter enable
interface Port-channel48
 description ASA1
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast
 spanning-tree bpdufilter enable

konfiguracja contextow na system:

Kod: Zaznacz cały

interface GigabitEthernet0/0
 channel-group 1 mode on
!
interface GigabitEthernet0/1
 channel-group 1 mode on
interface Port-channel1
 lacp max-bundle 8
!
interface Port-channel1.99
 description Aggregation
 vlan 99
!
interface Port-channel1.300
 description 300
 vlan 300
!
interface Port-channel1.302
 description 302
 vlan 302


context CTX1
  allocate-interface Port-channel1.99
  allocate-interface Port-channel1.302
  config-url disk0:/CTX1
  join-failover-group 1

context CTX2
  allocate-interface Port-channel1.99
  allocate-interface Port-channel1.300
  config-url disk0:/CTX2
  join-failover-group 1

failover group 1
  preempt 100
failover group 2
  secondary
  preempt 100
Konfiguracja contextu1

Kod: Zaznacz cały

ospf configuration
interface Port-channel1.302
 nameif 302
 security-level 50
 ip address x.x.x.1 255.255.255.0 standby x.x.x.2
!
interface Port-channel1.99
 nameif 99
 security-level 0
 ip address y.y.y.1 255.255.255.0 standby y.y.y.2

router ospf 1
 network y.y.y.0 255.255.255.0 area 0
 log-adj-changes

konfiguracja contextu2

Kod: Zaznacz cały

interface Port-channel1.300
 nameif servers
 security-level 60
 ip address z.z.z.1 255.255.255.0 standby z.z.z.2
!
interface Port-channel1.99
 nameif outside
 security-level 0
 ip address y.y.y.3 255.255.255.0 standby y.y.y.4

router ospf 1
 network y.y.y.0 255.255.255.0 area 0
 log-adj-changes
obydwie asy mozna pingowac

Kod: Zaznacz cały

CTX-FW(config)# ping y.y.y.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to y.y.y.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
#show ospf 1

Kod: Zaznacz cały

 Routing Process "ospf 1" with ID y.y.y.1
 Start time: 1d22h, Time elapsed: 00:04:24.090
 Supports only single TOS(TOS0) routes
 Supports opaque LSA
 Supports Link-local Signaling (LLS)
 Supports area transit capability
 Event-log enabled, Maximum number of events: 1000, Mode: cyclic
 Router is not originating router-LSAs with maximum metric
 Initial SPF schedule delay 5000 msecs
 Minimum hold time between two consecutive SPFs 10000 msecs
 Maximum wait time between two consecutive SPFs 10000 msecs
 Incremental-SPF disabled
 Minimum LSA interval 5 secs
 Minimum LSA arrival 1000 msecs
 LSA group pacing timer 240 secs
 Interface flood pacing timer 33 msecs
 Retransmission pacing timer 66 msecs
 Number of external LSA 0. Checksum Sum 0x0
 Number of opaque AS LSA 0. Checksum Sum 0x0
 Number of DCbitless external and opaque AS LSA 0
 Number of DoNotAge external and opaque AS LSA 0
 Number of areas in this router is 1. 1 normal 0 stub 0 nssa
 Number of areas transit capable is 0
 External flood list length 0
 IETF NSF helper support enabled
 Cisco NSF helper support enabled
 Reference bandwidth unit is 100 mbps
    Area BACKBONE(0) (Inactive)
        Number of interfaces in this area is 1
        Area has no authentication
        SPF algorithm last executed 00:04:00.600 ago
        SPF algorithm executed 1 times
        Area ranges are
        Number of LSA 1. Checksum Sum 0x6099
        Number of opaque link LSA 0. Checksum Sum 0x0
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0

show ospf interface outside

Kod: Zaznacz cały

outside is up, line protocol is up
  Internet Address y.y.y.1 mask 255.255.255.0, Area 0
  Process ID 1, Router ID y.y.y.1, Network Type BROADCAST, Cost: 10
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) y.y.y.1, Interface address y.y.y.1
  No backup designated router on this network
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 0:00:06
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 0, maximum is 0
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 0, Adjacent neighbor count is 0
  Suppress hello for 0 neighbor(s)

#show ospf traffic pokazuje ze wysylamy hello ale nie docieraja

Kod: Zaznacz cały

show ospf traffic:

    OSPF packets received/sent

  Type          Packets              Bytes
  RX Invalid                       0 0
  RX Hello                         0 0
  RX DB des                        0 0
  RX LS req                        0 0
  RX LS upd                        0 0
  RX LS ack                        0 0
  RX Total                         0 0

  TX Failed                        0 0
  TX Hello                        71 3976
  TX DB des                        0 0
  TX LS req                        0 0
  TX LS upd                        0 0
  TX LS ack                        0 0
  TX Total                        71 3976
dodalem acl na obydwie ASA.

Kod: Zaznacz cały

access-list OUTSIDE extended permit ospf any4 any4
access-list OUTSIDE extended permit ip any4 any4
access-group OUTSIDE in interface outside
Nie mam pojecia dlaczego hello nie docieraja, czyzby jakies limitacje ASA? Czy tez popelnilem gdzies blad?

ODPOWIEDZ