Solved: Re: Firepower defence OSPF md5 auth not working

softwareadmin@netcomsecure.co. · ‎07-01-2019

FTD and OSPF MD5 authentication
Hi all,

I am trying to get OSPF authentication working between router 4451 interface and FTD 550x-X with FTD image, managed by FMC.

Connectivity works and also OSPF adjacency is up, without authentication is used. So it's not any of the usual issues like MTU etc. When I switch to MD5, adjacency is stuck at INIT.

could someone advise where to look to remove this issue.

Kind regards

zee

Marvin Rhoads · ‎07-01-2019

There was a similar question asked (and answered) a couple of months ago.

Have you tried the recommended solution?

https://community.cisco.com/t5/firepower/ftd-and-ospf-md5-authentication/td-p/3404101

View solution in original post

softwareadmin@netcomsecure.co. · ‎07-02-2019

Hi All,

Thanks for help. i have find out solution under CSCvg78868. just disable
the LLS TLV OSPF deature on the router side.

*Symptom:*
ASA with 9.3.1 or a later release discards OSPF hello packets; this is
usually seen after SW upgrades of the OSPF neighbor, i.e. any IOS-XE
device running on Polaris

2-way state is never reached, instead the OSPF session remains in
INIT/DROTHER and below error message is logged on the firewall:
ASA5525/act#OSPF: OSPF: Rcv pkt from ABC123 src 10.10.10.5 dst 224.0.0.6
id 10.10.10.5 type 4 if_state 5 : ignored due to unknown neighbor

*Conditions:*
OSPF speaker #1: ASA with 9.3.1 or a later release
OSPF speaker #2: Cisco IOS-XE router/switch running on 16.5.1 or later

ASR1K <--- OSPF ---> ASA FW

*Workaround:*
Workaround #1: disable LLS on interface-level
ASR1K(config)#int GigabitEthernet0/0/0.333
ASR1K(config-subif)#ip ospf lls disable

Workaround #2: disable LLS capability in the OSPF process
ASR1K(config)#router ospf 600 vrf VRF600
ASR1K(config-router)#no capability lls

Kind regards

Zeeshan

View solution in original post

softwareadmin@netcomsecure.co. · ‎07-02-2019

Hi Marvin,

Thanks for help. i have find out solution under CSCvg78868. just disable the LLS TLV OSPF feature on the router side and its work.

Symptom:
ASA with 9.3.1 or a later release discards OSPF hello packets; this is usually seen after SW upgrades of the OSPF neighbor, i.e. any IOS-XE device running on Polaris

2-way state is never reached, instead the OSPF session remains in INIT/DROTHER and below error message is logged on the firewall:
ASA5525/act#OSPF: OSPF: Rcv pkt from ABC123 src 10.10.10.5 dst 224.0.0.6 id 10.10.10.5 type 4 if_state 5 : ignored due to unknown neighbor

Conditions:
OSPF speaker #1: ASA with 9.3.1 or a later release
OSPF speaker #2: Cisco IOS-XE router/switch running on 16.5.1 or later

ASR1K <--- OSPF ---> ASA FW

Workaround:
Workaround #1: disable LLS on interface-level
ASR1K(config)#int GigabitEthernet0/0/0.333
ASR1K(config-subif)#ip ospf lls disable

Workaround #2: disable LLS capability in the OSPF process
ASR1K(config)#router ospf 600 vrf VRF600
ASR1K(config-router)#no capability lls

Kind regards

Zeeshan

View solution in original post

Marvin Rhoads · ‎07-01-2019

There was a similar question asked (and answered) a couple of months ago.

Have you tried the recommended solution?

https://community.cisco.com/t5/firepower/ftd-and-ospf-md5-authentication/td-p/3404101

softwareadmin@netcomsecure.co. · ‎07-02-2019

Hi All,

Thanks for help. i have find out solution under CSCvg78868. just disable
the LLS TLV OSPF deature on the router side.

*Symptom:*
ASA with 9.3.1 or a later release discards OSPF hello packets; this is
usually seen after SW upgrades of the OSPF neighbor, i.e. any IOS-XE
device running on Polaris

2-way state is never reached, instead the OSPF session remains in
INIT/DROTHER and below error message is logged on the firewall:
ASA5525/act#OSPF: OSPF: Rcv pkt from ABC123 src 10.10.10.5 dst 224.0.0.6
id 10.10.10.5 type 4 if_state 5 : ignored due to unknown neighbor

*Conditions:*
OSPF speaker #1: ASA with 9.3.1 or a later release
OSPF speaker #2: Cisco IOS-XE router/switch running on 16.5.1 or later

ASR1K <--- OSPF ---> ASA FW

*Workaround:*
Workaround #1: disable LLS on interface-level
ASR1K(config)#int GigabitEthernet0/0/0.333
ASR1K(config-subif)#ip ospf lls disable

Workaround #2: disable LLS capability in the OSPF process
ASR1K(config)#router ospf 600 vrf VRF600
ASR1K(config-router)#no capability lls

Kind regards

Zeeshan

softwareadmin@netcomsecure.co. · ‎07-02-2019

Hi Marvin,

Thanks for help. i have find out solution under CSCvg78868. just disable the LLS TLV OSPF feature on the router side and its work.

Symptom:
ASA with 9.3.1 or a later release discards OSPF hello packets; this is usually seen after SW upgrades of the OSPF neighbor, i.e. any IOS-XE device running on Polaris

2-way state is never reached, instead the OSPF session remains in INIT/DROTHER and below error message is logged on the firewall:
ASA5525/act#OSPF: OSPF: Rcv pkt from ABC123 src 10.10.10.5 dst 224.0.0.6 id 10.10.10.5 type 4 if_state 5 : ignored due to unknown neighbor

Conditions:
OSPF speaker #1: ASA with 9.3.1 or a later release
OSPF speaker #2: Cisco IOS-XE router/switch running on 16.5.1 or later

ASR1K <--- OSPF ---> ASA FW

Workaround:
Workaround #1: disable LLS on interface-level
ASR1K(config)#int GigabitEthernet0/0/0.333
ASR1K(config-subif)#ip ospf lls disable

Workaround #2: disable LLS capability in the OSPF process
ASR1K(config)#router ospf 600 vrf VRF600
ASR1K(config-router)#no capability lls

Kind regards

Zeeshan