Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
996
Views
10
Helpful
3
Replies

ASA vs FTD OSPF settings

Chess Norris
Level 4
Level 4

‎02-07-2022 01:31 AM

Hi,

I am trying to migrate ASA configuration to FTD for a customer and one thing I cannot find how to enable, is  the command 

"capability lls" that are present in the ASA. Also it doesn’t seems to work to enable both 

"nsf cisco helper" and "nsf ietf helper" at the same time in FTD. They are both enabled in the ASA. 

Here is the OSPF configuration from both devices with the difference highlighted.

 

ASA

area 101 nssa

nsf cisco helper

nsf ietf helper

capability opaque

capability lls

distance ospf intra-area 110 inter-area 110 external 110

no ignore lsa mospf

log-adj-changes

no redistribute connected

no redistribute static

 

FTD

area 101 nssa

no nsf Cisco helper

nsf ietf helper

capability opaque

no capability lls

distance ospf intra-area 110 inter-area 110 external 110

no ignore lsa mospf

log-adj-changes

no redistribute connected

no redistribute static

 

The customer have no idea if the use the lls function, but I want to make sure we're not missing any important setting.

Anyone know were to enable IIS in the FMC?

 

Best regards

/Jorgen

 

3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-07-2022 05:28 AM

FYSA:

  • capability lls . Enables Link Local Signaling (LLS), which is needed for Cisco graceful restart. 

  • nsf cisco helper . Enable Cisco nonstop forwarding (NSF) helper mode. When the NSF-capable FTD device is performing graceful restart, the helper FTD devices assist in the nonstop forwarding recovery process.

Those configurations should be able to be configured in FMC under: Devices->Device Management->Routing->OSPF: 'Advanced'->Click Non Stop Forwarding tab;

 

From FTD CLI, verify ospf run config: > show running-config router ospf

Chess Norris
Level 4
Level 4

‎02-07-2022 07:19 AM

@Mike.Cifelli Thank you for your answer. Do you know which options I should check on the NSF tab? Here is the options I use at the moment.  Even though I have selected the NSF helper mode, it still says "no nsf Cisco helper".  Also which option should I select to enable LLS? 

 

Skärmklipp.JPG

 

firepower# show running-config router ospf
router ospf 1
router-id 10.200.201.116
network 10.66.0.0 255.255.240.0 area 101
network 10.199.1.0 255.255.255.0 area 101
network 10.199.254.0 255.255.255.128 area 101
network 10.199.254.128 255.255.255.128 area 101
network 10.200.201.52 255.255.255.252 area 101
network 10.200.201.112 255.255.255.248 area 101
network 172.16.0.0 255.255.240.0 area 101
area 101 nssa
no nsf Cisco helper
no capability lls
log-adj-changes

 

Thanks

/Chess

0 Helpful

Chess Norris
Level 4
Level 4

‎02-10-2022 11:52 PM

I ended up removing the OSPF configuration and added it again. Using the exakt same setting as abowe, I was now able to get the same configuration that I had in the ASA. Not sure why, but now it says both capability lls and nsf cisco helper

 

Thanks

/Chess

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card