Cannot get OSPF to work through a tunnel interface..

Reply
L0 Member

Cannot get OSPF to work through a tunnel interface..

Hello,

I have been working on my PA-500 trying to get OSPF to work through an IPSEC site to site VPN.

I cannot get OSPF to complete.  Looking at the status, I see LSAs sent, but none received.

I verified that the other end is configured exactly the same, and even matched them to what I had in my old firewall that I just pulled out.

Any help appreciated, Do I need to enable OSPF on the interfaces somehow, like the Host inbound traffic command that Juniper uses on the SRX?  It almost seems that something is blocking the LSAs from coming back from the far end, but I dunno because i have not done alot with OSPF.

Here are some commands that I ran in the CLI:

admin@PA-500> show routing protocol ospf summary

  ==========
  router id:                     192.168.254.254
  virtual router:                Default_VR
  reject default route:          reject
  redist default route:          block
  RFC1583 behavior:              no
  area border router:            no
  AS border router:              yes
  LS type 5 count:               1
  LS type 11 count:              0
  LS sent count:                 203
  LS recv count:                 0
    area id:                     0.0.0.0
      interface:                 172.16.254.3
      interface:                 192.168.254.254
      dynamic neighbors:       

admin@PA-500> show routing protocol ospf interface

  ==========
  virtual router:                Default_VR
  interface name:                tunnel.1
  interface address:             172.16.254.3
  interface type:                p2p
  passive:                       no
  area id:                       0.0.0.0
  router priority:               1
  status:                        p2p
  transit delay:                 1
  retry interval:                8
  hello interval:                10
  dead interval:                 40
  IP of DR:                      0.0.0.0
  IP of Backup DR:               0.0.0.0
  LSA count:                     0
  LSA refresh interval:          1800
  auth type:                     none
  interface metric:              100
  ==========
  virtual router:                Default_VR
  interface name:                vlan.1
  interface address:             192.168.254.254
  interface type:                p2p
  passive:                       yes
  area id:                       0.0.0.0
  router priority:               1
  status:                        p2p
  transit delay:                 1
  retry interval:                8
  hello interval:                10
  dead interval:                 40
  IP of DR:                      0.0.0.0
  IP of Backup DR:               0.0.0.0
  LSA count:                     0
  LSA refresh interval:          1800
  auth type:                     none
  interface metric:              10

admin@PA-500> show routing protocol ospf dumplsdb

 
VIRTUAL ROUTER: Default_VR (id 3)
  ==========
VR  Area ID         Orig RTR ID     LS ID              LSA Type             Seq Number CheckSum   Age  
3   0.0.0.0         192.168.254.254 192.168.254.254    type-1 (Router)      0x8000005F 0x00004D71 869  
            Options: [External]
            Router LSA Options: [ASBR]
              Stub Network: 172.16.254.3 Netmask 255.255.255.192, tos 0, metric: 100
              Stub Network: 192.168.254.254 Netmask 255.255.255.0, tos 0, metric: 10

3                   192.168.254.254 192.168.254.0/24   type-5 (External)    0x8000002E 0x0000E2F2 869  
            Options: [External]
            Mask 255.255.255.0, type 2, tos 0 metric: 255, forward 0.0.0.0, tag 0.0.0.0


admin@PA-500> show routing protocol ospf area

  ==========
  virtual router:                Default_VR
  area id:                       0.0.0.0
  range:
  Normal Area
  accept summary:                yes
  rounds of SPF calc:            3
  area border routers:           0
  AS border routers:             1
  NSSA translator role:          candidate
  NSSA translate status:         disabled
  transit capability:            no
  LSA refresh interval:          1800
  LSA count:                     1
  LSA count (type 1):            1
  LSA count (type 2):            0
  LSA count (type 3):            0
  LSA count (type 4):            0
  LSA count (type 7):            0
  LSA count (type 10):           0

L4 Transporter

Re: Cannot get OSPF to work through a tunnel interface..

Hello,

First, check that OSPF area, interface type, authentication are the same.

Then, check if both MTU (of the tunnel interface) match. If not, adjaceny cannot be formed...

On SRX, if I'm wrong, MTU is set to 9000 bytes.

Hope it help.

Regards,

Hedi

Not applicable

Re: Cannot get OSPF to work through a tunnel interface..

When I do a "show routing protocol ospf area" on my PA5020 I see advertised networks under Range:. This may be a dumb question but do you have your PTP subnet advertised on each side?

L4 Transporter

Re: Cannot get OSPF to work through a tunnel interface..

Hi there,

Looks like you are on the right track:

  • Tunnel interfaces are configured with IP addresses
  • Tunnel interfaces added to OSPF area
  • Make sure MTU's match
  • Make sure there are no secutity policies blocking OSPF traffic (any to any zone policies can cause issues)

Can't think of anything else off the top of my head, but have done this before so it should work.

Cheers,

Kelly

Highlighted
L0 Member

Re: Cannot get OSPF to work through a tunnel interface..

I appologize for not updating.  I was able to resolve the issue.  I ended up having to build a new tunnel interface on the Juniper side in order for OSPF to establish.  for soem reaosn it seems to have been an issue with the Point to Multipoint tunnels that were setup on the Juniper.

Once i created the new tunnel, OSPF came up right away and has been working perfectly for a few weeks now.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!