ospf stuck in exstart state

  • 0
  • 1
  • Problem
  • Updated 2 years ago
  • Solved
I have a S8 Enterasys where I lost my OSPF neighbors with our Border router. When  I do a sh ip ospf neighbors, it shows it in a ex-state. I have clear the process, taken it out and re-enter, but still on ex-state. I can ping the border router but can't get that connection. I have checked the interfaces, and uplink ports, all looks good.

Outside border interface:

interface vlan.0.100
  description "insidevlan"
  ip address xxx.xxx.xxx.x 255.255.255.240 primary
  no shutdown
  exit

Core interface:

interface vlan.0.302
  description "InsideFirewall"
  ip address xxx.xxx.xx.x 255.255.255.240 primary
  vrrp create 2 v2-IPv4
  vrrp address 2 xxx.xxx.xx.x
  vrrp priority 2 254
  vrrp host-mobility 2
  no shutdown
  exit

V302 goes to a C5 switch which then goes to the inside FW, goes out through outside FW to the border (S4 router) V100.

This all started when we converted our FW's to layer 3. Everything was working fine, except for some VPN issues which we than reverted back. Now the neighbors don't connect.
Photo of Carlos Maldonado

Carlos Maldonado

  • 330 Points 250 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 13,650 Points 10k badge 2x thumb
Usually this is a MTU mismatch.
Photo of Patrick Koppen

Patrick Koppen

  • 770 Points 500 badge 2x thumb
with mtu mismatch you shouldn't get to ex-start...
Photo of Carlos Maldonado

Carlos Maldonado

  • 330 Points 250 badge 2x thumb
I checked, both are 1500
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 13,650 Points 10k badge 2x thumb
Do you have the ospf config of both ends?

It's not clear to me what happened. Did you say ospf was between 2 S-series routers with a L2 FW in-between, then you converted that FW to L3 (in ospf with each S?), and back to L2 FW? I guess the ospf config has been modified a lot...

mtu, timers all checked?
Photo of Carlos Maldonado

Carlos Maldonado

  • 330 Points 250 badge 2x thumb
Yes. All checks. The only thing I can see i that I can't ping multicast, 244.0.0.5 which is where OSPF uses for the hellos. I don't have any acl's on these interfaces.
Photo of Carlos Maldonado

Carlos Maldonado

  • 330 Points 250 badge 2x thumb
he are the configs:

border:

router ospf 1
  router-id xxx.xxx.xxx.1
  network xxx.xxx.xxx.x 0.0.0.15 area 0.0.0.0
  network xxx.xxx.xxx.xx 0.0.0.15 area 0.0.0.0
  redistribute bgp
  log-adjacency
  exit

router ospf 1
router-id xxx.xxx.xxx.xx
network xxx.xxx.xxx.xx 0.0.0.0.15 area 0.0.0.0
redistribute connected
log-adjacency
passive-interface default
no passive-interface vlan.0.302
exit

There are more networks but this is the one in question. All IP's match, don't want to expose them.
Photo of Patrick Koppen

Patrick Koppen

  • 770 Points 500 badge 2x thumb
You may check the following:

show ip ospf interface
show ip ospf neigbours
show ip int brief

disable the interface, activate debugging (debug ip ospf adj or packets), enable the interface
and see what happends....

If there are only two routers, you should use point to point mode.

What do you mean with FW to L3?

You should not replace all parts of the ip with xxx.
Photo of Carlos Maldonado

Carlos Maldonado

  • 330 Points 250 badge 2x thumb
Our firewalls are inline. They were working fine before we try to convert them to a layer 3 interfaces. We had everything working with them configured as layer 3, but we had to revert back and this is when get the ex-state between our core and border routers. Because we use public IP's in all our network devices, I'm not exposing the real IP's, hence the xxx. I'll try the debugging.
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,772 Points 10k badge 2x thumb
Hi Carlos,

do you use a Host ACL? If so, do you allow the OSPF protocol or just the multicast groups? The multicast groups are used to establish the adjacencies, but the data exchange uses unicast sourced from the interface IP of one router destined to the interface IP of the other router.

If you are establishing the adjacencies across a firewall, please ensure that the OSPF protocol is allowed on the firewall between the router interface addresses and the OSPF multicast groups.

Thanks,
Erik
Photo of Carlos Maldonado

Carlos Maldonado

  • 330 Points 250 badge 2x thumb
No we are not. We do have firewalls (Palo Altos) between the core and the border but they are configured as vWire (inline). By default, the Palo Alto Networks firewall advertises all the OSPF routes (both intra-area and inter-area).
Photo of Carlos Maldonado

Carlos Maldonado

  • 330 Points 250 badge 2x thumb
I bypass the firewall to see if it was the firewall causing the issue. The test worked, but when I put firewall back in place, OSPF is working now. Go figure!