cancel
Showing results for 
Search instead for 
Did you mean: 

ospf stuck in exstart state

ospf stuck in exstart state

Carlos_Maldona2
New Contributor II
I have a S8 Enterasys where I lost my OSPF neighbors with our Border router. When I do a sh ip ospf neighbors, it shows it in a ex-state. I have clear the process, taken it out and re-enter, but still on ex-state. I can ping the border router but can't get that connection. I have checked the interfaces, and uplink ports, all looks good.

Outside border interface:

interface vlan.0.100
description "insidevlan"
ip address xxx.xxx.xxx.x 255.255.255.240 primary
no shutdown
exit

Core interface:

interface vlan.0.302
description "InsideFirewall"
ip address xxx.xxx.xx.x 255.255.255.240 primary
vrrp create 2 v2-IPv4
vrrp address 2 xxx.xxx.xx.x
vrrp priority 2 254
vrrp host-mobility 2
no shutdown
exit

V302 goes to a C5 switch which then goes to the inside FW, goes out through outside FW to the border (S4 router) V100.

This all started when we converted our FW's to layer 3. Everything was working fine, except for some VPN issues which we than reverted back. Now the neighbors don't connect.

11 REPLIES 11

Carlos_Maldona2
New Contributor II
I bypass the firewall to see if it was the firewall causing the issue. The test worked, but when I put firewall back in place, OSPF is working now. Go figure!

Carlos_Maldona2
New Contributor II
No we are not. We do have firewalls (Palo Altos) between the core and the border but they are configured as vWire (inline). By default, the Palo Alto Networks firewall advertises all the OSPF routes (both intra-area and inter-area).

Erik_Auerswald
Contributor II
Hi Carlos,

do you use a Host ACL? If so, do you allow the OSPF protocol or just the multicast groups? The multicast groups are used to establish the adjacencies, but the data exchange uses unicast sourced from the interface IP of one router destined to the interface IP of the other router.

If you are establishing the adjacencies across a firewall, please ensure that the OSPF protocol is allowed on the firewall between the router interface addresses and the OSPF multicast groups.

Thanks,
Erik

Carlos_Maldona2
New Contributor II
Our firewalls are inline. They were working fine before we try to convert them to a layer 3 interfaces. We had everything working with them configured as layer 3, but we had to revert back and this is when get the ex-state between our core and border routers. Because we use public IP's in all our network devices, I'm not exposing the real IP's, hence the xxx. I'll try the debugging.

GTM-P2G8KFN