cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1771
Views
0
Helpful
3
Replies

Firepower defence OSPF md5 auth not working

FTD and OSPF MD5 authentication
Hi all,


I am trying to get OSPF authentication working between router 4451 interface and FTD 550x-X with FTD image, managed by FMC.

 

Connectivity works and also OSPF adjacency is up, without authentication is used. So it's not any of the usual issues like MTU etc. When I switch to MD5, adjacency is stuck at INIT. 

 

could someone advise where to look to remove this issue.

 

Kind regards

zee

 

3 Accepted Solutions

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

There was a similar question asked (and answered) a couple of months ago.

Have you tried the recommended solution?

https://community.cisco.com/t5/firepower/ftd-and-ospf-md5-authentication/td-p/3404101

View solution in original post

Hi All,

Thanks for help. i have find out solution under CSCvg78868. just disable
the LLS TLV OSPF deature on the router side.

*Symptom:*
ASA with 9.3.1 or a later release discards OSPF hello packets; this is
usually seen after SW upgrades of the OSPF neighbor, i.e. any IOS-XE
device running on Polaris

2-way state is never reached, instead the OSPF session remains in
INIT/DROTHER and below error message is logged on the firewall:
ASA5525/act#OSPF: OSPF: Rcv pkt from ABC123 src 10.10.10.5 dst 224.0.0.6
id 10.10.10.5 type 4 if_state 5 : ignored due to unknown neighbor

*Conditions:*
OSPF speaker #1: ASA with 9.3.1 or a later release
OSPF speaker #2: Cisco IOS-XE router/switch running on 16.5.1 or later

ASR1K <--- OSPF ---> ASA FW

*Workaround:*
Workaround #1: disable LLS on interface-level
ASR1K(config)#int GigabitEthernet0/0/0.333
ASR1K(config-subif)#ip ospf lls disable

Workaround #2: disable LLS capability in the OSPF process
ASR1K(config)#router ospf 600 vrf VRF600
ASR1K(config-router)#no capability lls

Kind regards

Zeeshan


View solution in original post

Hi Marvin,
Thanks for help. i have find out solution under CSCvg78868. just disable the LLS TLV OSPF feature on the router side and its work.

Symptom:
ASA with 9.3.1 or a later release discards OSPF hello packets; this is usually seen after SW upgrades of the OSPF neighbor, i.e. any IOS-XE device running on Polaris

2-way state is never reached, instead the OSPF session remains in INIT/DROTHER and below error message is logged on the firewall:
ASA5525/act#OSPF: OSPF: Rcv pkt from ABC123 src 10.10.10.5 dst 224.0.0.6 id 10.10.10.5 type 4 if_state 5 : ignored due to unknown neighbor

Conditions:
OSPF speaker #1: ASA with 9.3.1 or a later release
OSPF speaker #2: Cisco IOS-XE router/switch running on 16.5.1 or later

ASR1K <--- OSPF ---> ASA FW

Workaround:
Workaround #1: disable LLS on interface-level
ASR1K(config)#int GigabitEthernet0/0/0.333
ASR1K(config-subif)#ip ospf lls disable

Workaround #2: disable LLS capability in the OSPF process
ASR1K(config)#router ospf 600 vrf VRF600
ASR1K(config-router)#no capability lls

Kind regards

Zeeshan

View solution in original post

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

There was a similar question asked (and answered) a couple of months ago.

Have you tried the recommended solution?

https://community.cisco.com/t5/firepower/ftd-and-ospf-md5-authentication/td-p/3404101

Hi All,

Thanks for help. i have find out solution under CSCvg78868. just disable
the LLS TLV OSPF deature on the router side.

*Symptom:*
ASA with 9.3.1 or a later release discards OSPF hello packets; this is
usually seen after SW upgrades of the OSPF neighbor, i.e. any IOS-XE
device running on Polaris

2-way state is never reached, instead the OSPF session remains in
INIT/DROTHER and below error message is logged on the firewall:
ASA5525/act#OSPF: OSPF: Rcv pkt from ABC123 src 10.10.10.5 dst 224.0.0.6
id 10.10.10.5 type 4 if_state 5 : ignored due to unknown neighbor

*Conditions:*
OSPF speaker #1: ASA with 9.3.1 or a later release
OSPF speaker #2: Cisco IOS-XE router/switch running on 16.5.1 or later

ASR1K <--- OSPF ---> ASA FW

*Workaround:*
Workaround #1: disable LLS on interface-level
ASR1K(config)#int GigabitEthernet0/0/0.333
ASR1K(config-subif)#ip ospf lls disable

Workaround #2: disable LLS capability in the OSPF process
ASR1K(config)#router ospf 600 vrf VRF600
ASR1K(config-router)#no capability lls

Kind regards

Zeeshan


Hi Marvin,
Thanks for help. i have find out solution under CSCvg78868. just disable the LLS TLV OSPF feature on the router side and its work.

Symptom:
ASA with 9.3.1 or a later release discards OSPF hello packets; this is usually seen after SW upgrades of the OSPF neighbor, i.e. any IOS-XE device running on Polaris

2-way state is never reached, instead the OSPF session remains in INIT/DROTHER and below error message is logged on the firewall:
ASA5525/act#OSPF: OSPF: Rcv pkt from ABC123 src 10.10.10.5 dst 224.0.0.6 id 10.10.10.5 type 4 if_state 5 : ignored due to unknown neighbor

Conditions:
OSPF speaker #1: ASA with 9.3.1 or a later release
OSPF speaker #2: Cisco IOS-XE router/switch running on 16.5.1 or later

ASR1K <--- OSPF ---> ASA FW

Workaround:
Workaround #1: disable LLS on interface-level
ASR1K(config)#int GigabitEthernet0/0/0.333
ASR1K(config-subif)#ip ospf lls disable

Workaround #2: disable LLS capability in the OSPF process
ASR1K(config)#router ospf 600 vrf VRF600
ASR1K(config-router)#no capability lls

Kind regards

Zeeshan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: