OSPF on ASA 8.2 not advertising /32

Question

We have set up OSPF between our 2 ASA 5540 running in Active/Passive and our Internet provider's Juniper routers. We would like to advertise routes based on the content of an ACL through a route-map :

router ospf 1
router-id X.X.X.A
network X.X.X.B 255.255.255.248 area 0
area 0 authentication message-digest
log-adj-changes
redistribute static metric 10 subnets route-map annonce_ospf_isp

route-map annonce_ospf_isp permit 1
match ip address redistribute_isp

access-list redistribute_isp standard permit Y.Y.Y.C 255.255.255.252

If I advertise a /30, no problem : it shows up in the ospf database and the route is inserted in other routers.

However if I advertise a /32 then nothing happens: it's not in the database, it's not advertised :

access-list redistribute_neo standard permit host Y.Y.Y.D

What is the problem?

Try writing the access list with a mask instead of the word 'host'. — Ron Trunk, Feb 19 '14 at 13:59
actually that's what I do but ASA always replaces it with "host". Thanks — simsaull, Feb 19 '14 at 14:02
Try a prefix list instead of an access list. See: http://brandonfarmer.com/2013/10/19/redistributing-anyconnect-vpn-addresses-into-ospf-on-cisco-asa/ — Ron Trunk, Feb 19 '14 at 14:11
Thanks Ron. Unfortunatly prefix-list seems to be a feature available with ASA 8.3, and we are running 8.2... — simsaull, Feb 19 '14 at 14:43
well actually it's weirder than that : i can create a prefix-list : `prefix-list PF-test-ospf seq 1 permit Y.Y.Y.D/32`. However I cannot use it in my route-map : `(config-route-map)# match ip address ? route-map mode commands/options: WORD Access-list name` — simsaull, Feb 19 '14 at 14:48
I have seen lots of weirdness with 8.2. If you can upgrade, I recommend it. — Ron Trunk, Feb 19 '14 at 19:05
This is a shot in the dark but, have you tried using an extended ACL? Something like: "access-list TEST extended permit ip host Y.Y.Y.Y host 255.255.255.255". I read something about that with BGP and redistribution on IOS with extended ACLs that would be a syntax. Anyways, if your back is up against a wall, it is worth a try. — , Feb 19 '14 at 23:15
There's a bug in 8.2 (and I think 8.3) related to controlling redistribution into OSPF with a route-map. I ran into a similar problem, where I wanted to redistribute connected routes, but I wanted to suppress it for the /30 on the active/standby link. In my case, it was as though the route-map was being ignored. I'm pretty sure it was corrected in 8.4, possibly also in one of the recent 8.3 rebuilds. If I can find the bug id, I'll post more detailed information as an answer. — James Sneeringer, Feb 25 '14 at 20:31

user4487 · Accepted Answer · 2014-02-25T13:33:11.473

2

You should have a static /32 route in your routing table ~~towards~~ for Y.Y.Y.D in order to be able to redistribute it from static to OSPF.

edited Feb 25 '14 at 13:33

answered Feb 25 '14 at 11:05

user4487

46
2

score 0 · Answer 2 · answered Feb 28 '14 at 17:28

0

Try add a host static route. doing so it would add the route in the routing table. See if your initial redistribute command works after that.

answered Feb 28 '14 at 17:28

Rafael Couto Cabral

11
2

OSPF on ASA 8.2 not advertising /32

2 Answers2