ospf stuck in exstart state
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-19-2017 01:17 PM
I have a S8 Enterasys where I lost my OSPF neighbors with our Border router. When I do a sh ip ospf neighbors, it shows it in a ex-state. I have clear the process, taken it out and re-enter, but still on ex-state. I can ping the border router but can't get that connection. I have checked the interfaces, and uplink ports, all looks good.
Outside border interface:
interface vlan.0.100
description "insidevlan"
ip address xxx.xxx.xxx.x 255.255.255.240 primary
no shutdown
exit
Core interface:
interface vlan.0.302
description "InsideFirewall"
ip address xxx.xxx.xx.x 255.255.255.240 primary
vrrp create 2 v2-IPv4
vrrp address 2 xxx.xxx.xx.x
vrrp priority 2 254
vrrp host-mobility 2
no shutdown
exit
V302 goes to a C5 switch which then goes to the inside FW, goes out through outside FW to the border (S4 router) V100.
This all started when we converted our FW's to layer 3. Everything was working fine, except for some VPN issues which we than reverted back. Now the neighbors don't connect.
Outside border interface:
interface vlan.0.100
description "insidevlan"
ip address xxx.xxx.xxx.x 255.255.255.240 primary
no shutdown
exit
Core interface:
interface vlan.0.302
description "InsideFirewall"
ip address xxx.xxx.xx.x 255.255.255.240 primary
vrrp create 2 v2-IPv4
vrrp address 2 xxx.xxx.xx.x
vrrp priority 2 254
vrrp host-mobility 2
no shutdown
exit
V302 goes to a C5 switch which then goes to the inside FW, goes out through outside FW to the border (S4 router) V100.
This all started when we converted our FW's to layer 3. Everything was working fine, except for some VPN issues which we than reverted back. Now the neighbors don't connect.
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-20-2017 02:50 PM
I bypass the firewall to see if it was the firewall causing the issue. The test worked, but when I put firewall back in place, OSPF is working now. Go figure!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-20-2017 11:43 AM
No we are not. We do have firewalls (Palo Altos) between the core and the border but they are configured as vWire (inline). By default, the Palo Alto Networks firewall advertises all the OSPF routes (both intra-area and inter-area).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-20-2017 06:51 AM
Hi Carlos,
do you use a Host ACL? If so, do you allow the OSPF protocol or just the multicast groups? The multicast groups are used to establish the adjacencies, but the data exchange uses unicast sourced from the interface IP of one router destined to the interface IP of the other router.
If you are establishing the adjacencies across a firewall, please ensure that the OSPF protocol is allowed on the firewall between the router interface addresses and the OSPF multicast groups.
Thanks,
Erik
do you use a Host ACL? If so, do you allow the OSPF protocol or just the multicast groups? The multicast groups are used to establish the adjacencies, but the data exchange uses unicast sourced from the interface IP of one router destined to the interface IP of the other router.
If you are establishing the adjacencies across a firewall, please ensure that the OSPF protocol is allowed on the firewall between the router interface addresses and the OSPF multicast groups.
Thanks,
Erik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-19-2017 06:56 PM
Our firewalls are inline. They were working fine before we try to convert them to a layer 3 interfaces. We had everything working with them configured as layer 3, but we had to revert back and this is when get the ex-state between our core and border routers. Because we use public IP's in all our network devices, I'm not exposing the real IP's, hence the xxx. I'll try the debugging.
