I would like to open this issue up for discussion, and possible resolution. We have an IPSec Tunnel between two Palo Alto Firewalls (PAN 3050 & PAN 820), and we advertise OSPF routes to interconnect both sites, over the tunnel. This was working fine for months with no issues. Four days ago, we upgraded the 3050 from PANOS7.1 to PANOS8.0.8, and since then our OSPF adjacencies have continuously dropped.
When the adjancency is up, the routes work fine, and traffic goes through the tunnel properly. However, they are not up for very long, and only a few successful pings get through. As a workaround we added static routes on both sides, which improved connectivity, however this too was inconsistent.
Here's the catch; once we completely broke the OSPF Adjacency, the static routes worked perfectly -- remaining consistent with 100% ping success. I'm not sure what's going on. With both OSPF and static the static will still take precedence (we have not changed Administrative Distance values). Why is it that static routes pointing traffic through the tunnel works only when OSPF is removed. But with OSPF and static, neither provide consistent connectivity over the tunnel.
The PAN engineers thought it was related to PAN-DB download causing cpu spikes. We deactivated the URL Filtering Licence and inserted a security rule to block pancloud application, and this did not resolve the issue.
Has anybody else seen behavior like this, or have any inclining to what may be causing this issue? Any help or guidance is appreciated.
Are the PAN's both running 8.0.8 or just the 3050? I have both models and OSPF between them using multiple links, i.e. p2p wan links with VPN's. One issue I ran into was they were in different areas and the LSA updates became a problem. Are they in the same area?
Just some thoughts.
Thank you for your reply! They were at one point both running 8.0.8, however, we reverted the 3050 (that was recently upgraded) to 8.0.0 as a troubleshooting step; the PAN820 is still running 8.0.8.
Yes the links are in the same area, I belive that is a requirement to become neighbors. I did go back and check to make sure all metric values (and area) were the same, and they are. I will point out, the physical WAN links on both ends are OSPF Passive interfaces only, to advertise their respective Networks.
The tunnel is formed between those two WAN links, and the tunnel interfaces on both ends are in Area 2, p2p.
I encountered this previously due to a change in default BFD behavior between 7.1 and 8.0 - check your BFD settings on the VR and your global settings - we had hard coded the global setting on one firewall to match the default, and left the other "default" so it's setting changed when it was upgraded - this caused the OSPF adjacency to go down every time the BFD timer expired.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!