Re: PIX, OSPF routing choices.

john.pierson · ‎01-29-2004

Hi,

We have two main sites with a PIX515 in each site. Both Inside interfaces are on the backbone OSPF area (0) & the Outside Interfaces are in different OSPF areas (51 & 53). The two sites are connected together by our internal network on the Inside interfaces. We have a sattelite site which connects to both sites on the outside interfaces & the route to this site originates as a RIP2 route & is imported into OSPF & distributed to the PIX's on the outside Interface & redistributed to the Inside Interface.

The problem we are hitting is that both or one of the PIX's will sometimes decide the route to the

sattelite site is over the internal network to the other PIX & then to the sattelite site (With a cost of 353) rather than straight over the Outside network (cost 30).

In debug you can see the correct Type 5 LSA comes in & be used (cost 30). Then the LSA type 5 comes in straight afterwards on the inside interface as the update goes around the internal network (from the other firewall) & is used as the preferred route (cost 353).

Do PIX's prioritise routing updates from inside networks? Anyone have any ideas why it would behave this way?

Thanks, John.

drolemc · ‎02-04-2004

The OSPF route preference is in the following order: O, O IA, OE1, OE2. My understanding is that when an inter area route is learned from two neighbors, OSPF tries to take the shortest path out to the backbone and it is this behaviour that might be causing the behaviour that you area seeing.

vinhnguyen · ‎05-30-2004

Hi

Does anyone know where I could get the information describe above by drolemc. This information is important for us.