Header Only - DO NOT REMOVE - Extreme Networks

ospf stuck in exstart state


I have a S8 Enterasys where I lost my OSPF neighbors with our Border router. When I do a sh ip ospf neighbors, it shows it in a ex-state. I have clear the process, taken it out and re-enter, but still on ex-state. I can ping the border router but can't get that connection. I have checked the interfaces, and uplink ports, all looks good.

Outside border interface:

interface vlan.0.100
description "insidevlan"
ip address xxx.xxx.xxx.x 255.255.255.240 primary
no shutdown
exit

Core interface:

interface vlan.0.302
description "InsideFirewall"
ip address xxx.xxx.xx.x 255.255.255.240 primary
vrrp create 2 v2-IPv4
vrrp address 2 xxx.xxx.xx.x
vrrp priority 2 254
vrrp host-mobility 2
no shutdown
exit

V302 goes to a C5 switch which then goes to the inside FW, goes out through outside FW to the border (S4 router) V100.

This all started when we converted our FW's to layer 3. Everything was working fine, except for some VPN issues which we than reverted back. Now the neighbors don't connect.

11 replies

Userlevel 7
Usually this is a MTU mismatch.
Userlevel 2
Grosjean, Stephane wrote:

Usually this is a MTU mismatch.

with mtu mismatch you shouldn't get to ex-start...
I checked, both are 1500
Userlevel 7
Do you have the ospf config of both ends?

It's not clear to me what happened. Did you say ospf was between 2 S-series routers with a L2 FW in-between, then you converted that FW to L3 (in ospf with each S?), and back to L2 FW? I guess the ospf config has been modified a lot...

mtu, timers all checked?
Yes. All checks. The only thing I can see i that I can't ping multicast, 244.0.0.5 which is where OSPF uses for the hellos. I don't have any acl's on these interfaces.
he are the configs:

border:

router ospf 1
router-id xxx.xxx.xxx.1
network xxx.xxx.xxx.x 0.0.0.15 area 0.0.0.0
network xxx.xxx.xxx.xx 0.0.0.15 area 0.0.0.0
redistribute bgp
log-adjacency
exit

router ospf 1
router-id xxx.xxx.xxx.xx
network xxx.xxx.xxx.xx 0.0.0.0.15 area 0.0.0.0
redistribute connected
log-adjacency
passive-interface default
no passive-interface vlan.0.302
exit

There are more networks but this is the one in question. All IP's match, don't want to expose them.
Userlevel 2
You may check the following:

show ip ospf interface
show ip ospf neigbours
show ip int brief

disable the interface, activate debugging (debug ip ospf adj or packets), enable the interface
and see what happends....

If there are only two routers, you should use point to point mode.

What do you mean with FW to L3?

You should not replace all parts of the ip with xxx.
Our firewalls are inline. They were working fine before we try to convert them to a layer 3 interfaces. We had everything working with them configured as layer 3, but we had to revert back and this is when get the ex-state between our core and border routers. Because we use public IP's in all our network devices, I'm not exposing the real IP's, hence the xxx. I'll try the debugging.
Userlevel 7
Hi Carlos,

do you use a Host ACL? If so, do you allow the OSPF protocol or just the multicast groups? The multicast groups are used to establish the adjacencies, but the data exchange uses unicast sourced from the interface IP of one router destined to the interface IP of the other router.

If you are establishing the adjacencies across a firewall, please ensure that the OSPF protocol is allowed on the firewall between the router interface addresses and the OSPF multicast groups.

Thanks,
Erik
No we are not. We do have firewalls (Palo Altos) between the core and the border but they are configured as vWire (inline). By default, the Palo Alto Networks firewall advertises all the OSPF routes (both intra-area and inter-area).
I bypass the firewall to see if it was the firewall causing the issue. The test worked, but when I put firewall back in place, OSPF is working now. Go figure!

Reply