This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

VM Series on ESXi not receving OSPF hello packets when connected to EVE-NG

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VM Series on ESXi not receving OSPF hello packets when connected to EVE-NG

Spiterman
L1 Bithead

‎05-26-2023 06:50 PM

Hello,

 

I have set up a PA-VM version 10.2.5 on VMware ESXi as I was not able to get it to work properly on EVE-NG. On ESXi I did the following:

 

  1. Added new Port Group to the Virtual Switch
  2. Added a Network Adapter to PA-VM and associated it to the new Port Group
    1. This is to configure an interface as Outside on the FW to connect it to my EVE-NG environment
  3. Added a 2nd Network Adapter to EVE-NG and associated it to the new Port Group
    1. This is to add a Network (Cloud1) on EVE-NG to link it the PA-VM

 

I have a Cisco vIOS router running Version 15.8(3)M2 that connects to (Cloud1) and in turn connects to other VMs on the same Port Group including a Cisco C9800-CL-K9_IOSXE. Version 16.12.4a, which can also run OSPF, running directly on my ESXi host, which I also added into the same Port Group.

 

I am able to form a full OSPF adjacency with the C9800, but am not able to do so with the PA-VM. The configuration on the PA-VM appears to be correct as I followed the steps to configure OSPF on the PA-VM and I am seeing the Hello messages arrive on the Cisco router running on EVE-NG as well as the C9800 running on ESXi.

 

From Cisco router on EVE-NG:

Spiterman_0-1685150873031.png

 

Spiterman_1-1685150979713.png

 

From C9800 on ESXi:

Spiterman_3-1685151199984.png

Spiterman_2-1685151179653.png

 

EVE-NG topology:

Spiterman_4-1685151332748.png

 

As you can see. This is a rather simple setup. It appears that the PA-VM is not receiving the Hello packets from the other devices and thus not responding with updated Hello packets to the other devices to include their own Router-IDs. Hence why the it remains in the INIT state.

 

Basically, the PA-VMs Hello messages get out, but it is not able to receive them so that it updates it own Hello messages to the other devices and thus proceed to the 2-WAY state and so on.

 

Has anyone seen this before? If so, can you help me out or provide some feedback as to what I can try?

 

I've included the PA-VM configuration.

 

Thank you all in advance!

 

 

 

Preview file
25 KB
0 Likes Likes
3 REPLIES 3

PavelK
Cyber Elite
Cyber Elite

‎05-31-2023 06:18 AM

Hello @Spiterman

 

could you please go through this KB ?

Could you also check whether intrazone-default security policy has action set to allow?

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Spiterman
L1 Bithead
In response to PavelK

‎05-31-2023 07:21 AM

Hello Pavel,

I appreciate the suggestions.

 

I've reviewed the document regarding troubleshooting OSPF adjacencies. It is in fact very helpful. I'm lead to believe that the PA-VM is not receiving the OSPF hello packets and thus not including the other router's Router-ID in the hello packets. I've done Wireshark captures that show that the PA-VM does not initiate a unicast to the Cisco router.

 

The intrazone-default security policy action is set to allow. The behavior I'm seeing on the PA-VM is that traffic can exit but return traffic is not able to get through.

 

Are you aware of anything else that's worth checking out?

 

Regards 

0 Likes Likes

PavelK
Cyber Elite
Cyber Elite

‎05-31-2023 03:20 PM

Thank you for reply @Spiterman

 

To me it looks like that initial OSPF neighbor discovery to 224.0.0.5 does not get to PA-VM. Would it be possible to look into logs: tail follow yes mp-log routed.log to see whether it can provide more insight. Also, would it be possible for a test to change OSPF network type to p2mp (point to multipoint)? With this interface type you have to configure all neighbors manually and initial discovery will be sent by unicast instead of multicast. You will have to match the interface type on Cisco side (I think the interface type will be: ip ospf network point-to-multipoint non-broadcast).

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
  • 2390 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks