topic Re: How to inject OSPF information from PA to other OSPF-Routers in General Topics

How to inject OSPF information from PA to other OSPF-Routers

Hithead — Wed, 26 Jun 2013 08:24:54 GMT

Hello,

we created a IPSec tunnel between Cisco and PA:

Now we have a problem to make the network behind the Cisco Router reachable from the Corporate LAN and the other way (from Corporate LAN to the "Cisco LAN"). Both routers running OSPF. With OSPF we want to make this networks reachable through the PA. The PA already gets the OSPF informations from both Routers and is able to inject the "connected" network (setting image ospf9.jpg) to the OSPF network. But the OSPF routing information itself not.

We need your help. Did we missed a configuration? How does it work?

Please take a look at the attached files... Thanks a lot.

Re: How to inject OSPF information from PA to other OSPF-Routers

UhMayYeah — Wed, 26 Jun 2013 10:55:38 GMT

Try using the actual subnets (eg : 192.168.1.0/24) in the Destination field instead of the interfaces (ospf-9)

Re: How to inject OSPF information from PA to other OSPF-Routers

Hithead — Wed, 26 Jun 2013 11:13:10 GMT

Did the change like you said:

But it doesn't work. Still able to reach the tunnel subnet but not the network behind the router.

Re: How to inject OSPF information from PA to other OSPF-Routers

kprakash — Wed, 26 Jun 2013 13:34:24 GMT

Hi Hithead,

I have some recommendations for you:

1) First of all, if you want to learn the routes via OSPF, then we enable OSPF on the interfaces of the devices. We have OSPF configured on tunnel.2 and on eth1/2.1. From the screenshots on OSPF-1 and OSPF-2, we can see that the PANFW is learning the routes 10.xx.0.0/26 through the tunnel.2 interface and the 192, the 172 and the 10 networks on the eth1/2.1 interface. You can increase the metric of the static routes to prefer the link state routes over the static routes.

2) I see that the OSPF routes are being learnt, but just to be sure, have an "any any" permitting policy for OSPF application.

3) on ospf-4, I see that the tunnel.2 is seen as a BDR. Tunnel interfaces are always point to point. Change the interface link type to "point-to-point" and also change it on the tunnel interface of the cisco router.

4) You dont redistribute an OSPF route into OSPF, like we have on the screenshots of OSPF-7 and OSPF-8. All you need is to configure the interfaces with OSPF, which we have done. I see that the tunnel.2 is on area0 and eth1/2.1 is on area x. Likewise, we dont need redistribution of inter area routes. It is automatically done by OSPF

5) We dont have to resdistribute the connected routes into OSPF. The participating interfaces would advertise their network addresses,and also the networks reachable on them into OSPF by default.

6) When you mean you can reach the tunnel subnet, I see that you are attempting to reach networks on the remote lan. Can you verify if the routing is configured correctly on the remote end routers.

7) After having verified all these steps, if we still cannot get it to work, please open a case with us.

Thanks and best regards,

Karthik RP

Re: How to inject OSPF information from PA to other OSPF-Routers

Hithead — Thu, 27 Jun 2013 11:15:44 GMT

Hi,

thanks for the check list. Now we got OSPF. But not completely:

You see, the cisco router and the "OSPF Router" at the same network as the PA gets the OSPF information. But the PA (or OSPF Router - vendor Cisco) do not forward the OSPF information to e.g. LAN B (we have several subnets).

Re: How to inject OSPF information from PA to other OSPF-Routers

rmonvon — Thu, 27 Jun 2013 13:39:36 GMT

Hi...The OSPF router that connect to LANB is responsible for route advertisement to other OSPF neighbors in LANB. Please check the configuration of the OSPF router and review its neighbor's stats. Thanks.,

Re: How to inject OSPF information from PA to other OSPF-Routers

kprakash — Thu, 27 Jun 2013 14:51:44 GMT

Can you verify if the interface on the router on LAN-B is not configured as a passive interface for OSPF, oe doenst have any wierd access list that is blocking the advertisement of the network? We can see that the PANFW is learning the routes via OSPF from its neighbours OSPF router and Cisco router. If its just one network, ie the LAN B, that the firewall isnt getting routing information for, we have to check the settings on the firewall on LAN B

Re: How to inject OSPF information from PA to other OSPF-Routers

Hithead — Thu, 18 Jul 2013 14:06:19 GMT

Hi,

i guess its a Cisco Router problem. Have to test it. Will update this thread, when we found the issue. Thanks for your help...!

Re: How to inject OSPF information from PA to other OSPF-Routers

Hithead — Mon, 12 Aug 2013 06:35:10 GMT

Hello,

finally we got the right configuration to inject OPSF information in our LAN from the remote station. I'd like to share you the configuration we did:

Re: How to inject OSPF information from PA to other OSPF-Routers

Hithead — Mon, 12 Aug 2013 06:39:23 GMT

With this configuration we get this system message from the PA:

domain: 1

actionflags: 0x0

type: SYSTEM

subtype: routing

config_ver: 0

vsys:

eventid: routed-OSPF-neighbor-down

object: ROSEN_LAN

fmt: 0

id: 0

module: general

severity: high

opaque: OSPF adjacency with neighbor has gone down. interface ethernet1/XX,
neighbor router ID 10.XXXXXX, neighbor IP address 10.XXXXXX.

How can we fix or disable this message?

Re: How to inject OSPF information from PA to other OSPF-Routers

kprakash — Mon, 12 Aug 2013 13:30:41 GMT

We cannot disable these messages, as they are notifications about OSPF state changes. If you are seeing these messages frequently, then it appears that the adjacency on eth1/xx is flapping, and can introduce instability in the OSPF domain.

1) Verify if the Link itself is not flapping

2) Verify if there is no MTU mismatch on the interfaces ( If there is a mismatch in the interface MTU, the OSPF states wouldnt go beyond Exstart )

3) Ensure that you have a policy to permit OSPF for the zone on which eth1/xx is configured on

BR,

Karthik