cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

208
Views
0
Helpful
3
Replies
Highlighted

Firepower defence OSPF md5 auth not working

FTD and OSPF MD5 authentication
Hi all,


I am trying to get OSPF authentication working between router 4451 interface and FTD 550x-X with FTD image, managed by FMC.

 

Connectivity works and also OSPF adjacency is up, without authentication is used. So it's not any of the usual issues like MTU etc. When I switch to MD5, adjacency is stuck at INIT. 

 

could someone advise where to look to remove this issue.

 

Kind regards

zee

 

Everyone's tags (2)
3 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Master

Re: Firepower defence OSPF md5 auth not working

There was a similar question asked (and answered) a couple of months ago.

Have you tried the recommended solution?

https://community.cisco.com/t5/firepower/ftd-and-ospf-md5-authentication/td-p/3404101

Re: Firepower defence OSPF md5 auth not working

Hi All,

Thanks for help. i have find out solution under CSCvg78868. just disable
the LLS TLV OSPF deature on the router side.

*Symptom:*
ASA with 9.3.1 or a later release discards OSPF hello packets; this is
usually seen after SW upgrades of the OSPF neighbor, i.e. any IOS-XE
device running on Polaris

2-way state is never reached, instead the OSPF session remains in
INIT/DROTHER and below error message is logged on the firewall:
ASA5525/act#OSPF: OSPF: Rcv pkt from ABC123 src 10.10.10.5 dst 224.0.0.6
id 10.10.10.5 type 4 if_state 5 : ignored due to unknown neighbor

*Conditions:*
OSPF speaker #1: ASA with 9.3.1 or a later release
OSPF speaker #2: Cisco IOS-XE router/switch running on 16.5.1 or later

ASR1K <--- OSPF ---> ASA FW

*Workaround:*
Workaround #1: disable LLS on interface-level
ASR1K(config)#int GigabitEthernet0/0/0.333
ASR1K(config-subif)#ip ospf lls disable

Workaround #2: disable LLS capability in the OSPF process
ASR1K(config)#router ospf 600 vrf VRF600
ASR1K(config-router)#no capability lls

Kind regards

Zeeshan


Re: Firepower defence OSPF md5 auth not working

Hi Marvin,
Thanks for help. i have find out solution under CSCvg78868. just disable the LLS TLV OSPF feature on the router side and its work.

Symptom:
ASA with 9.3.1 or a later release discards OSPF hello packets; this is usually seen after SW upgrades of the OSPF neighbor, i.e. any IOS-XE device running on Polaris

2-way state is never reached, instead the OSPF session remains in INIT/DROTHER and below error message is logged on the firewall:
ASA5525/act#OSPF: OSPF: Rcv pkt from ABC123 src 10.10.10.5 dst 224.0.0.6 id 10.10.10.5 type 4 if_state 5 : ignored due to unknown neighbor

Conditions:
OSPF speaker #1: ASA with 9.3.1 or a later release
OSPF speaker #2: Cisco IOS-XE router/switch running on 16.5.1 or later

ASR1K <--- OSPF ---> ASA FW

Workaround:
Workaround #1: disable LLS on interface-level
ASR1K(config)#int GigabitEthernet0/0/0.333
ASR1K(config-subif)#ip ospf lls disable

Workaround #2: disable LLS capability in the OSPF process
ASR1K(config)#router ospf 600 vrf VRF600
ASR1K(config-router)#no capability lls

Kind regards

Zeeshan

3 REPLIES 3
Hall of Fame Master

Re: Firepower defence OSPF md5 auth not working

There was a similar question asked (and answered) a couple of months ago.

Have you tried the recommended solution?

https://community.cisco.com/t5/firepower/ftd-and-ospf-md5-authentication/td-p/3404101

Re: Firepower defence OSPF md5 auth not working

Hi All,

Thanks for help. i have find out solution under CSCvg78868. just disable
the LLS TLV OSPF deature on the router side.

*Symptom:*
ASA with 9.3.1 or a later release discards OSPF hello packets; this is
usually seen after SW upgrades of the OSPF neighbor, i.e. any IOS-XE
device running on Polaris

2-way state is never reached, instead the OSPF session remains in
INIT/DROTHER and below error message is logged on the firewall:
ASA5525/act#OSPF: OSPF: Rcv pkt from ABC123 src 10.10.10.5 dst 224.0.0.6
id 10.10.10.5 type 4 if_state 5 : ignored due to unknown neighbor

*Conditions:*
OSPF speaker #1: ASA with 9.3.1 or a later release
OSPF speaker #2: Cisco IOS-XE router/switch running on 16.5.1 or later

ASR1K <--- OSPF ---> ASA FW

*Workaround:*
Workaround #1: disable LLS on interface-level
ASR1K(config)#int GigabitEthernet0/0/0.333
ASR1K(config-subif)#ip ospf lls disable

Workaround #2: disable LLS capability in the OSPF process
ASR1K(config)#router ospf 600 vrf VRF600
ASR1K(config-router)#no capability lls

Kind regards

Zeeshan


Re: Firepower defence OSPF md5 auth not working

Hi Marvin,
Thanks for help. i have find out solution under CSCvg78868. just disable the LLS TLV OSPF feature on the router side and its work.

Symptom:
ASA with 9.3.1 or a later release discards OSPF hello packets; this is usually seen after SW upgrades of the OSPF neighbor, i.e. any IOS-XE device running on Polaris

2-way state is never reached, instead the OSPF session remains in INIT/DROTHER and below error message is logged on the firewall:
ASA5525/act#OSPF: OSPF: Rcv pkt from ABC123 src 10.10.10.5 dst 224.0.0.6 id 10.10.10.5 type 4 if_state 5 : ignored due to unknown neighbor

Conditions:
OSPF speaker #1: ASA with 9.3.1 or a later release
OSPF speaker #2: Cisco IOS-XE router/switch running on 16.5.1 or later

ASR1K <--- OSPF ---> ASA FW

Workaround:
Workaround #1: disable LLS on interface-level
ASR1K(config)#int GigabitEthernet0/0/0.333
ASR1K(config-subif)#ip ospf lls disable

Workaround #2: disable LLS capability in the OSPF process
ASR1K(config)#router ospf 600 vrf VRF600
ASR1K(config-router)#no capability lls

Kind regards

Zeeshan