[c-nsp] ASA 8.4.2-8 OSPF Bug

Antonio Soares amsoares at netcabo.pt
Thu Jun 14 11:14:02 EDT 2012 

Guys,

TAC case and Bug found:

CSCtt07457
++++++++++++++++++++++++++++++++
Traffic stops after failover as connected routes are "possibly down" 

Symptom: Connected routes go into "possibly down" state on Active ASA after
failover when OSPF is configured and traffic stops.

For example: 

C 10.1.1.0 255.255.255.252 is directly connected, faillink 
C 192.168.1.0 255.255.255.0 is possibly down, 
	routing via 0.0.0.0, inside 
C 192.0.2.0 255.255.255.0 is possibly down,
	routing via 0.0.0.0, outside 
O 192.168.3.0 255.255.255.0 [110/11] via 192.168.1.2, 0:00:57, inside 
S* 0.0.0.0 0.0.0.0 [1/0] via 192.0.2.2, outside 

Conditions: This happens when OSPF is configured on failover pair.

Workaround: Do not use OSPF with failover. Shut / no shut affected
interfaces to populate routing table.
++++++++++++++++++++++++++++++++

If you have 8.4.2-8 with Failover and OSPF/EIGRP, run away from this image.
I will test 8.4.2-14 that TAC will provide shortly.


Regards,

Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt
http://www.ccie18473.net


-----Original Message-----
From: Antonio Soares [mailto:amsoares at netcabo.pt] 
Sent: terça-feira, 12 de Junho de 2012 17:58
To: 'cisco-nsp at puck.nether.net'
Subject: ASA 8.4.2-8 OSPF Bug

Hello group,

I was troubleshooting a network down issue I had a few days ago, basically a
cluster of ASAs running 8.4.2-8 didn't behave as expected. The
primary/active went down and the secondary went active but the OSPF
adjacency with a 3750 switch remained down.

Today I was playing with a pair of ASA5540 running this release and I found
a potential bug that could be related with the problem I had.

After issuing the command "clear ospf process" on the active ASA, the
adjacency never comes up again.

Basic lab I have:

ASA1(Pri/Act)===Trunk===Cisco3550===Access===7200(R1)
ASA2(Sec/Stby)===Trunk===Cisco3550===Access===7200(R2)

On the ASA side I see the OSPF State moving from EXSTART to DOWN and on the
7200's side I see it moving from EXSTART to INIT. And this repeats over and
over until I switch the active ASA or I do the magical "reload" command. The
problem happens if the Active is the Primary or Secondary Unit. I was able
to reproduce the problem with only one ASA but configured with failover.


Has someone seen something like this ? If someone wants to reproduce the
problem, you may need to issue the "clear ospf process" several times.

Maybe this is expected, the HA feature was introduced with 8.4... :)

"Stateful Failover with Dynamic Routing Protocols 

Routes that are learned through dynamic routing protocols (such as OSPF and
EIGRP) on the active unit are now maintained in a Routing Information Base
(RIB) table on the standby unit. Upon a failover event, traffic on the
secondary active unit now passes with minimal disruption because routes are
known.
 
We modified the following commands: show failover, show route, show route
failover."



Thanks.

Regards,

Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt
http://www.ccie18473.net

More information about the cisco-nsp mailing list