11-21-2020 07:15 AM
I have an Palo Alto A/A HA configuration, each member with their own independent virtual router. The HA firewalls build an IPSEC tunnel to a branch Palo Alto firewall and have OSPF configured to advertise the HA firewall routes to the branch firewall, and the branch firewall to advertise it's local connected routes back to the HA firewalls. All firewalls are in area ID 0.0.0.0.
Everything works as expected, except for one issue. HA firewalls advertise to the branch firewall, firewall advertises back to the HA firewalls, but for some reason the HA firewall routes advertised to the branch end up on each HA firewall too:
Screenshot is a snip of a route to specific network on HA firewall A. First route is the local connected route, but the second route in the list is being learned from HA firewall B and incorrectly forwards traffic over the IPSEC tunnel interface (172.17.3.2).
Here is a snip from OSPF LSDB on HA firewall A 10.61.24.10. It should only be learning routes from branch firewall 10.52.24.10, not from HA firewall B 10.63.24.10
How can I stop the HA firewalls from learning OSPF routes being advertised by the partner firewall? Seemingly the unwanted advertised routes are being sent back from the branch firewall, but area route suppression has not made a difference.
04-06-2021 03:02 AM
An old post, but certainly worth unearthing!
The behaviour you are seeing is to be expected in an OSPF topology. For OSPF to function correctly each participating router in an area needs to have same LSDB contents. This, as you have seen can give sub-optimal routing paths as prefixes are advertised by seemingly distant routers.
You mention route suppression, but that will only work on an ABR, and as you said, all of the routers are in the same OSPF Area.
However using redistribution profiles in this topology would be the wrong approach as to stop HA-B learning HA-A prefixes, HA-A would need to filter those routes. You end up in the paradox where all of the External routes are being filtered by HA-A (and HA-B) leaving the branch with no External routes in its LSDB
The remaining OSPF solution would be to place the branch firewall in a stub area. A stub area will not receive External routes (Type-5) and instead the HA firewalls will advertise a default route. The branch will continue to advertise Types 1,2 and 3 to the HA firewalls.
This solution will result in the HA firewalls not viewing the branch router as a transit path.
Another option would be to use eBGP. The BGP path selection would ensure that prefixes being received by the HA firewalls which originate from the opposing HA firewall via the branch firewall would be ignored due to the local AS appearing the AS_PATH.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!