OSPF Neighborship Stuck in Extstart State.
54265
Created On 09/25/18 17:19 PM - Last Modified 06/02/23 08:59 AM
Symptom
OSPF neighbor-ship is stuck with the below system logs error:
"OSPF 3 rtr ID x.x.x.x IP addr x.x.x.x neighbor FSM state has deteriorated"
Environment
All Devices
All PAN-OS
Cause
- OSPF Neighbor-ship stuck in Ex-start state
- Neighbor fsm state has deteriorated
Resolution
The number of possible ways when a OSPF neighbourship stucks in exstart state:
- In the majority of cases, a mismatch in MTU is the cause of this issue. Every router participating in the OSPF network needs to be configured with the exact same MTU value.
- If a "deny all" rule is part of the firewall's policy, it is also possible that the OSPF unicast packets get dropped by that rule. Examine the logs to determine if those packets are rejected. If it's the case, add a rule to the OSPF protocol.
- The new Cisco Nexus have the option VPC, this option reduce the TTL by one affecting OSPF unicast. This will also cause the firewall to be stuck in the exstart state.
- In CISCO Nexus switches run below commands to make Routing/Layer 3 over vPC peer-link
# config t
(config) # vpc domain <domain-ID>
(config-vpc-domain) # layer3 peer-router
(config-vpc-domain) # end
Additional Information
If there is any changes in the network (such as a software upgrade of the vPC-connected router or the vPC peers themselves, a firewall failover, and so on), the unicast routing protocol adjacencies over a vPC stop working, resulting in either packet loss for data plane traffic or unicast routing protocol adjacencies/neighborship failing to come up.
- The Routing/Layer 3 over vPC was introduced to form unicast routing protocol adjacencies over a vPC.
- In the Cisco Nexus switch side, Routing/Layer 3 over vPC peer-link can be enabled by "layer3 peer-router".