02-07-2022 01:31 AM
Hi,
I am trying to migrate ASA configuration to FTD for a customer and one thing I cannot find how to enable, is the command
"capability lls" that are present in the ASA. Also it doesn’t seems to work to enable both
"nsf cisco helper" and "nsf ietf helper" at the same time in FTD. They are both enabled in the ASA.
Here is the OSPF configuration from both devices with the difference highlighted.
ASA
area 101 nssa
nsf cisco helper
nsf ietf helper
capability opaque
capability lls
distance ospf intra-area 110 inter-area 110 external 110
no ignore lsa mospf
log-adj-changes
no redistribute connected
no redistribute static
FTD
area 101 nssa
no nsf Cisco helper
nsf ietf helper
capability opaque
no capability lls
distance ospf intra-area 110 inter-area 110 external 110
no ignore lsa mospf
log-adj-changes
no redistribute connected
no redistribute static
The customer have no idea if the use the lls function, but I want to make sure we're not missing any important setting.
Anyone know were to enable IIS in the FMC?
Best regards
/Jorgen
02-07-2022 05:28 AM
FYSA:
capability lls . Enables Link Local Signaling (LLS), which is needed for Cisco graceful restart.
nsf cisco helper . Enable Cisco nonstop forwarding (NSF) helper mode. When the NSF-capable FTD device is performing graceful restart, the helper FTD devices assist in the nonstop forwarding recovery process.
Those configurations should be able to be configured in FMC under: Devices->Device Management->Routing->OSPF: 'Advanced'->Click Non Stop Forwarding tab;
From FTD CLI, verify ospf run config: > show running-config router ospf
02-07-2022 07:19 AM
@Mike.Cifelli Thank you for your answer. Do you know which options I should check on the NSF tab? Here is the options I use at the moment. Even though I have selected the NSF helper mode, it still says "no nsf Cisco helper". Also which option should I select to enable LLS?
firepower# show running-config router ospf
router ospf 1
router-id 10.200.201.116
network 10.66.0.0 255.255.240.0 area 101
network 10.199.1.0 255.255.255.0 area 101
network 10.199.254.0 255.255.255.128 area 101
network 10.199.254.128 255.255.255.128 area 101
network 10.200.201.52 255.255.255.252 area 101
network 10.200.201.112 255.255.255.248 area 101
network 172.16.0.0 255.255.240.0 area 101
area 101 nssa
no nsf Cisco helper
no capability lls
log-adj-changes
Thanks
/Chess
02-10-2022 11:52 PM
I ended up removing the OSPF configuration and added it again. Using the exakt same setting as abowe, I was now able to get the same configuration that I had in the ASA. Not sure why, but now it says both capability lls and nsf cisco helper
Thanks
/Chess
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide