topic Re: OSPF Adjacencies Flapping over IPSec Tunnel in General Topics

OSPF Adjacencies Flapping over IPSec Tunnel

Maurice_Green — Wed, 07 Mar 2018 15:12:04 GMT

Hello,

I would like to open this issue up for discussion, and possible resolution. We have an IPSec Tunnel between two Palo Alto Firewalls (PAN 3050 & PAN 820), and we advertise OSPF routes to interconnect both sites, over the tunnel. This was working fine for months with no issues. Four days ago, we upgraded the 3050 from PANOS7.1 to PANOS8.0.8, and since then our OSPF adjacencies have continuously dropped.

When the adjancency is up, the routes work fine, and traffic goes through the tunnel properly. However, they are not up for very long, and only a few successful pings get through. As a workaround we added static routes on both sides, which improved connectivity, however this too was inconsistent.

Here's the catch; once we completely broke the OSPF Adjacency, the static routes worked perfectly -- remaining consistent with 100% ping success. I'm not sure what's going on. With both OSPF and static the static will still take precedence (we have not changed Administrative Distance values). Why is it that static routes pointing traffic through the tunnel works only when OSPF is removed. But with OSPF and static, neither provide consistent connectivity over the tunnel.

The PAN engineers thought it was related to PAN-DB download causing cpu spikes. We deactivated the URL Filtering Licence and inserted a security rule to block pancloud application, and this did not resolve the issue.

Has anybody else seen behavior like this, or have any inclining to what may be causing this issue? Any help or guidance is appreciated.

Thanks

Re: OSPF Adjacencies Flapping over IPSec Tunnel

OtakarKlier — Wed, 07 Mar 2018 16:19:15 GMT

Hello,

Are the PAN's both running 8.0.8 or just the 3050? I have both models and OSPF between them using multiple links, i.e. p2p wan links with VPN's. One issue I ran into was they were in different areas and the LSA updates became a problem. Are they in the same area?

Just some thoughts.

Re: OSPF Adjacencies Flapping over IPSec Tunnel

Maurice_Green — Wed, 07 Mar 2018 19:39:14 GMT

Hello,

Thank you for your reply! They were at one point both running 8.0.8, however, we reverted the 3050 (that was recently upgraded) to 8.0.0 as a troubleshooting step; the PAN820 is still running 8.0.8.

Yes the links are in the same area, I belive that is a requirement to become neighbors. I did go back and check to make sure all metric values (and area) were the same, and they are. I will point out, the physical WAN links on both ends are OSPF Passive interfaces only, to advertise their respective Networks.

The tunnel is formed between those two WAN links, and the tunnel interfaces on both ends are in Area 2, p2p.

Thanks

Re: OSPF Adjacencies Flapping over IPSec Tunnel

geetha — Thu, 14 Jun 2018 22:08:43 GMT

Maurice, Did you find a resolution to your ospf issues? we are experiencing ospf adjaceny drop in 8.0.8 and so checking

Re: OSPF Adjacencies Flapping over IPSec Tunnel

JoeAndreini — Fri, 15 Jun 2018 14:14:38 GMT

I encountered this previously due to a change in default BFD behavior between 7.1 and 8.0 - check your BFD settings on the VR and your global settings - we had hard coded the global setting on one firewall to match the default, and left the other "default" so it's setting changed when it was upgraded - this caused the OSPF adjacency to go down every time the BFD timer expired.