This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

OSPF adjacencies flapping caused by minor changes in Virtual Router.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

OSPF adjacencies flapping caused by minor changes in Virtual Router.

VMAntonenko
L1 Bithead

‎05-12-2017 12:12 AM

Hello.

 

There is a question about OSPF adjacency flapping caused by minor changes in OSPF process.

 

I planned data-center deployment of PA-5060 HA-cluster. In this plan PA-5060 needs to be attached to OSPF AREA 0, and multiple NSSA areas in different security  zones. Number of multiple areas non constant and in will be increasing in the future with deploying new DMZs.

 

When i configured this, i noticed that some changes in OSPF causes adjacancy reestablishing with peers when configuration is commiting.

 

For example: 

Creating new interface/subinterface and attacing it to existent OSPF area commits without interruption.

Creating new area, even without interfaces belongs to it, commits with reestablishing all existent OSPF adjacancies and service interruption.

 

Precisely OSPF peers receives one-way hello from PA (hello packet with empty neighbors list) and goes to Init state.

 

In this scenario deploying of any new DMZ will cause service interruption in whole data-center segment.

 

Is this a normal behaviour of PA? 

Are there any workarounds? GR or something.

 

I found an article in community.

https://live.paloaltonetworks.com/t5/Management-Articles/Commit-Causes-OSPF-Adjacencies-to-go-Down/t...

But it dated 2012. Is this fixed now?

 

Thanks in advance.

 

0 Likes Likes
3 REPLIES 3

pulukas
L7 Applicator

‎05-13-2017 06:59 AM

If this is still an issue, try testing with using eBGP and private ASN for your DMZ segments instead.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes

nextgenhappines
L4 Transporter

‎05-13-2017 03:44 PM

I believe that issue is already resolved back in 6.0 or 6.1.    I am running on 7.1.9, I don't think I see any OSPF adjacencies flapping when we add or delete interface|subnet..

 

E

 

 

0 Likes Likes

VAntonenko
L1 Bithead
In response to nextgenhappines

‎05-15-2017 03:50 AM

nextgenhappines,

As I described, creating int/subint not cause flapping, but creating/deletting area, even without interfaces, leads to flapping.

My design assumes creating a new area for new DMZ.

 

I tested this case on PA-500 with software from 5.0.0 to 7.1.17, issue still exists.

 

So sad, it seems we'll have to make new design.

0 Likes Likes
  • 4091 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks