Cannot get OSPF to work through a tunnel interface..

mbehlok · ‎02-01-2012

Hello,

I have been working on my PA-500 trying to get OSPF to work through an IPSEC site to site VPN.

I cannot get OSPF to complete. Looking at the status, I see LSAs sent, but none received.

I verified that the other end is configured exactly the same, and even matched them to what I had in my old firewall that I just pulled out.

Any help appreciated, Do I need to enable OSPF on the interfaces somehow, like the Host inbound traffic command that Juniper uses on the SRX? It almost seems that something is blocking the LSAs from coming back from the far end, but I dunno because i have not done alot with OSPF.

Here are some commands that I ran in the CLI:

admin@PA-500> show routing protocol ospf summary

==========
router id:                     192.168.254.254
virtual router:                Default_VR
reject default route:          reject
redist default route:          block
RFC1583 behavior:              no
area border router:            no
AS border router:              yes
LS type 5 count:               1
LS type 11 count:              0
LS sent count:                 203
LS recv count:                 0
    area id:                     0.0.0.0
      interface:                 172.16.254.3
      interface:                 192.168.254.254
      dynamic neighbors:

admin@PA-500> show routing protocol ospf interface

==========
virtual router:                Default_VR
interface name:                tunnel.1
interface address:             172.16.254.3
interface type:                p2p
passive:                       no
area id:                       0.0.0.0
router priority:               1
status:                        p2p
transit delay:                 1
retry interval:                8
hello interval:                10
dead interval:                 40
IP of DR:                      0.0.0.0
IP of Backup DR:               0.0.0.0
LSA count:                     0
LSA refresh interval:          1800
auth type:                     none
interface metric:              100
==========
virtual router:                Default_VR
interface name:                vlan.1
interface address:             192.168.254.254
interface type:                p2p
passive:                       yes
area id:                       0.0.0.0
router priority:               1
status:                        p2p
transit delay:                 1
retry interval:                8
hello interval:                10
dead interval:                 40
IP of DR:                      0.0.0.0
IP of Backup DR:               0.0.0.0
LSA count:                     0
LSA refresh interval:          1800
auth type:                     none
interface metric:              10

admin@PA-500> show routing protocol ospf dumplsdb

VIRTUAL ROUTER: Default_VR (id 3)
==========
VR Area ID         Orig RTR ID     LS ID              LSA Type             Seq Number CheckSum   Age
3   0.0.0.0         192.168.254.254 192.168.254.254    type-1 (Router)      0x8000005F 0x00004D71 869
            Options: [External]
            Router LSA Options: [ASBR]
              Stub Network: 172.16.254.3 Netmask 255.255.255.192, tos 0, metric: 100
              Stub Network: 192.168.254.254 Netmask 255.255.255.0, tos 0, metric: 10

3                   192.168.254.254 192.168.254.0/24   type-5 (External)    0x8000002E 0x0000E2F2 869
            Options: [External]
            Mask 255.255.255.0, type 2, tos 0 metric: 255, forward 0.0.0.0, tag 0.0.0.0

admin@PA-500> show routing protocol ospf area

==========
virtual router:                Default_VR
area id:                       0.0.0.0
range:
Normal Area
accept summary:                yes
rounds of SPF calc:            3
area border routers:           0
AS border routers:             1
NSSA translator role:          candidate
NSSA translate status:         disabled
transit capability:            no
LSA refresh interval:          1800
LSA count:                     1
LSA count (type 1):            1
LSA count (type 2):            0
LSA count (type 3):            0
LSA count (type 4):            0
LSA count (type 7):            0
LSA count (type 10):           0

kbrazil · ‎02-29-2012

Hi there,

Looks like you are on the right track:

Tunnel interfaces are configured with IP addresses
Tunnel interfaces added to OSPF area
Make sure MTU's match
Make sure there are no secutity policies blocking OSPF traffic (any to any zone policies can cause issues)

Can't think of anything else off the top of my head, but have done this before so it should work.

Cheers,

Kelly

View solution in original post

licenselu · ‎02-02-2012

Hello,

First, check that OSPF area, interface type, authentication are the same.

Then, check if both MTU (of the tunnel interface) match. If not, adjaceny cannot be formed...

On SRX, if I'm wrong, MTU is set to 9000 bytes.

Hope it help.

Regards,

Hedi

rmnelson · ‎02-29-2012

When I do a "show routing protocol ospf area" on my PA5020 I see advertised networks under Range:. This may be a dumb question but do you have your PTP subnet advertised on each side?

kbrazil · ‎02-29-2012

Hi there,

Looks like you are on the right track:

Tunnel interfaces are configured with IP addresses
Tunnel interfaces added to OSPF area
Make sure MTU's match
Make sure there are no secutity policies blocking OSPF traffic (any to any zone policies can cause issues)

Can't think of anything else off the top of my head, but have done this before so it should work.

Cheers,

Kelly

mbehlok · ‎02-29-2012

I appologize for not updating. I was able to resolve the issue. I ended up having to build a new tunnel interface on the Juniper side in order for OSPF to establish. for soem reaosn it seems to have been an issue with the Point to Multipoint tunnels that were setup on the Juniper.

Once i created the new tunnel, OSPF came up right away and has been working perfectly for a few weeks now.

Unlock your full community experience!

Cannot get OSPF to work through a tunnel interface..

Cannot get OSPF to work through a tunnel interface..

Show your appreciation!