https://live.paloaltonetworks.com/t5/general-topics/ospf-route-learning-with-active-active-ha-setup/m-p/395987#M91327 <P>Hi there,</P><P>An old post, but certainly worth unearthing!</P><P>&nbsp;</P><P>The behaviour you are seeing is to be expected in an OSPF topology. For OSPF to function correctly each participating router in an area needs to have same LSDB contents. This, as you have seen can give sub-optimal routing paths as prefixes are advertised by seemingly distant routers.</P><P>&nbsp;</P><P>You mention route suppression, but that will only work on an ABR, and as you said, all of the routers are in the same OSPF Area.</P><P>However using redistribution profiles in this topology would be the wrong approach as to stop HA-B learning HA-A prefixes, HA-A would need to filter those routes. You end up in the paradox where all of the External routes are being filtered by HA-A (and HA-B) leaving the branch with no External routes in its LSDB</P><P>&nbsp;</P><P>The remaining OSPF solution would be to place the branch firewall in a stub area. A stub area will not receive External routes (Type-5) and instead the HA firewalls will advertise a default route. The branch will continue to advertise Types 1,2 and 3 to the HA firewalls.</P><P>This solution will result in the HA firewalls not viewing the branch router as a transit path.</P><P>&nbsp;</P><P>Another option would be to use eBGP. The BGP path selection would ensure that prefixes being received by the HA firewalls which originate from the opposing HA firewall via the branch firewall would be ignored due to the local AS appearing the AS_PATH.</P><P>&nbsp;</P><P>cheers,</P><P>Seb.</P> Tue, 06 Apr 2021 10:02:16 GMT SebRupik 2021-04-06T10:02:16Z https://live.paloaltonetworks.com/t5/general-topics/ospf-route-learning-with-active-active-ha-setup/m-p/364685#M88493 <P>I have an Palo Alto A/A HA configuration, each member with their own independent virtual router. The HA firewalls build an IPSEC tunnel to a branch Palo Alto firewall and have OSPF configured to advertise the HA firewall routes to the branch firewall, and the branch firewall to advertise it's local connected routes back to the HA firewalls. All firewalls are in area ID 0.0.0.0.</P><P>&nbsp;</P><P>Everything works as expected, except for one issue. HA firewalls advertise to the branch firewall, firewall advertises back to the HA firewalls, but for some reason the HA firewall routes advertised to the branch end up on each HA firewall too:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TomKisiel_0-1605971273887.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/28749iC788D3BC7207995E/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="TomKisiel_0-1605971273887.png" alt="TomKisiel_0-1605971273887.png" /></span></P><P>Screenshot is a snip of a route to specific network on HA firewall A. First route is the local connected route, but the second route in the list is being learned from HA firewall B and incorrectly forwards traffic over the IPSEC tunnel interface (172.17.3.2).</P><P>&nbsp;</P><P>Here is a snip from OSPF LSDB on HA firewall A 10.61.24.10. It should only be learning routes from branch firewall 10.52.24.10, not from HA firewall B 10.63.24.10</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TomKisiel_1-1605971683294.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/28750i6584713C9C187566/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="TomKisiel_1-1605971683294.png" alt="TomKisiel_1-1605971683294.png" /></span></P><P>&nbsp;</P><P>How can I stop the HA firewalls from learning OSPF routes being advertised by the partner firewall? Seemingly the unwanted advertised routes are being sent back from the branch firewall, but area route suppression has not made a difference.</P><P>&nbsp;</P> Sat, 21 Nov 2020 15:15:51 GMT https://live.paloaltonetworks.com/t5/general-topics/ospf-route-learning-with-active-active-ha-setup/m-p/364685#M88493 TomKisiel 2020-11-21T15:15:51Z https://live.paloaltonetworks.com/t5/general-topics/ospf-route-learning-with-active-active-ha-setup/m-p/395987#M91327 <P>Hi there,</P><P>An old post, but certainly worth unearthing!</P><P>&nbsp;</P><P>The behaviour you are seeing is to be expected in an OSPF topology. For OSPF to function correctly each participating router in an area needs to have same LSDB contents. This, as you have seen can give sub-optimal routing paths as prefixes are advertised by seemingly distant routers.</P><P>&nbsp;</P><P>You mention route suppression, but that will only work on an ABR, and as you said, all of the routers are in the same OSPF Area.</P><P>However using redistribution profiles in this topology would be the wrong approach as to stop HA-B learning HA-A prefixes, HA-A would need to filter those routes. You end up in the paradox where all of the External routes are being filtered by HA-A (and HA-B) leaving the branch with no External routes in its LSDB</P><P>&nbsp;</P><P>The remaining OSPF solution would be to place the branch firewall in a stub area. A stub area will not receive External routes (Type-5) and instead the HA firewalls will advertise a default route. The branch will continue to advertise Types 1,2 and 3 to the HA firewalls.</P><P>This solution will result in the HA firewalls not viewing the branch router as a transit path.</P><P>&nbsp;</P><P>Another option would be to use eBGP. The BGP path selection would ensure that prefixes being received by the HA firewalls which originate from the opposing HA firewall via the branch firewall would be ignored due to the local AS appearing the AS_PATH.</P><P>&nbsp;</P><P>cheers,</P><P>Seb.</P> Tue, 06 Apr 2021 10:02:16 GMT https://live.paloaltonetworks.com/t5/general-topics/ospf-route-learning-with-active-active-ha-setup/m-p/395987#M91327 SebRupik 2021-04-06T10:02:16Z