I'm currently running 8.1.10 on PA-820 firewalls. They are in A/P failover pair. Last night, all of a sudden primary firewall started showing "( eventid eq routed-OSPF-neighbor-down )" in system logs and OSPF went down. I failed over to secondary and connections were restored. These 2 firewalls are connected to 2 switchports which are both part of same VLAN and SVI.I verified both the switchports are sending ospf hello packets for every 10 seconds and verified them on packet capture. I interchanged the cables going to firewalls between switchports and that didn't recreate the issue.so this ruled out the switch/router from the equation.
I am wondering if this is a software bug? if it is, why didn't both firewalls get hit?
or is it a hardware bug? please post your ideas.
One switch or two switches ?
Checked STP topology changes ?
Checked logs on the switch ?
Do you have EtherChannel configured ?
Looking at the release notes, Can't spot any known issues related to OSPF.
@Nehmaan I interchanges the cables to make sure it's not switching/routing issue. last night after a reboot and failover, adjacency came back up again. so, I think it's clearly a software bug.
Check your logs and (if this is an ISP link) get the ISP to check their router logs, to make sure you weren't hit by a UDP flood or other DoS/DDoS attack.
Prior to configuring Zone Protection and DoS Protection Profiles, and having our ISP configure DoS protection/monitoring on their end, we'd lose OSPF due to UDP floods preventing OSPF packets from getting through.
UDP flood attacks are generally very short in duration, under a minute or two, so they won't always show up in logs/monitoring tools unless you specifically look for them, but they'll easily saturate a gigabit link. We had several of these attacks over the past year, and our PA-3020s couldn't handle the traffic (overload the session table) and we'd lose OSPF on our internal network. We switches to PA-5220s this fall, and still suffered OSPF drops due to link saturation on our gigabit link. We now have ZPP/DoS enabled, and our ISP is monitoring for DDoS attacks (anything over 3 minutes in length is automatically shutdown at the ISP side).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!