07-01-2019 06:39 AM - edited 02-21-2020 09:15 AM
FTD and OSPF MD5 authentication
Hi all,
I am trying to get OSPF authentication working between router 4451 interface and FTD 550x-X with FTD image, managed by FMC.
Connectivity works and also OSPF adjacency is up, without authentication is used. So it's not any of the usual issues like MTU etc. When I switch to MD5, adjacency is stuck at INIT.
could someone advise where to look to remove this issue.
Kind regards
zee
Solved! Go to Solution.
07-01-2019 07:23 PM
There was a similar question asked (and answered) a couple of months ago.
Have you tried the recommended solution?
https://community.cisco.com/t5/firepower/ftd-and-ospf-md5-authentication/td-p/3404101
07-02-2019 12:40 AM
07-02-2019 12:42 AM
Hi Marvin,
Thanks for help. i have find out solution under CSCvg78868. just disable the LLS TLV OSPF feature on the router side and its work.
Symptom:
ASA with 9.3.1 or a later release discards OSPF hello packets; this is usually seen after SW upgrades of the OSPF neighbor, i.e. any IOS-XE device running on Polaris
2-way state is never reached, instead the OSPF session remains in INIT/DROTHER and below error message is logged on the firewall:
ASA5525/act#OSPF: OSPF: Rcv pkt from ABC123 src 10.10.10.5 dst 224.0.0.6 id 10.10.10.5 type 4 if_state 5 : ignored due to unknown neighbor
Conditions:
OSPF speaker #1: ASA with 9.3.1 or a later release
OSPF speaker #2: Cisco IOS-XE router/switch running on 16.5.1 or later
ASR1K <--- OSPF ---> ASA FW
Workaround:
Workaround #1: disable LLS on interface-level
ASR1K(config)#int GigabitEthernet0/0/0.333
ASR1K(config-subif)#ip ospf lls disable
Workaround #2: disable LLS capability in the OSPF process
ASR1K(config)#router ospf 600 vrf VRF600
ASR1K(config-router)#no capability lls
Kind regards
Zeeshan
07-01-2019 07:23 PM
There was a similar question asked (and answered) a couple of months ago.
Have you tried the recommended solution?
https://community.cisco.com/t5/firepower/ftd-and-ospf-md5-authentication/td-p/3404101
07-02-2019 12:40 AM
07-02-2019 12:42 AM
Hi Marvin,
Thanks for help. i have find out solution under CSCvg78868. just disable the LLS TLV OSPF feature on the router side and its work.
Symptom:
ASA with 9.3.1 or a later release discards OSPF hello packets; this is usually seen after SW upgrades of the OSPF neighbor, i.e. any IOS-XE device running on Polaris
2-way state is never reached, instead the OSPF session remains in INIT/DROTHER and below error message is logged on the firewall:
ASA5525/act#OSPF: OSPF: Rcv pkt from ABC123 src 10.10.10.5 dst 224.0.0.6 id 10.10.10.5 type 4 if_state 5 : ignored due to unknown neighbor
Conditions:
OSPF speaker #1: ASA with 9.3.1 or a later release
OSPF speaker #2: Cisco IOS-XE router/switch running on 16.5.1 or later
ASR1K <--- OSPF ---> ASA FW
Workaround:
Workaround #1: disable LLS on interface-level
ASR1K(config)#int GigabitEthernet0/0/0.333
ASR1K(config-subif)#ip ospf lls disable
Workaround #2: disable LLS capability in the OSPF process
ASR1K(config)#router ospf 600 vrf VRF600
ASR1K(config-router)#no capability lls
Kind regards
Zeeshan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: