Solved: Trouble with OSPF in Firepower

engineer467 · ‎07-07-2022

I have a firepower running OS 6.4, trying to configure basic ospf but its not working. I get this "Area BACKBONE(0) (Inactive)". Not sure what to check now.

Below is the output of show ospf-

Routing Process "ospf 1" with ID xx.xx.xx.xx
Start time: 12w3d, Time elapsed: 01:15:46.160
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Link-local Signaling (LLS)
Supports area transit capability
Event-log enabled, Maximum number of events: 1000, Mode: cyclic
It is an autonomous system boundary router
Redistributing External Routes from,
Router is not originating router-LSAs with maximum metric
Initial SPF schedule delay 5000 msecs
Minimum hold time between two consecutive SPFs 10000 msecs
Maximum wait time between two consecutive SPFs 10000 msecs
Incremental-SPF disabled
Initial LSA throttle delay 0 msecs
Minimum hold time for LSA throttle 5000 msecs
Maximum wait time for LSA throttle 5000 msecs
Minimum LSA arrival 1000 msecs
LSA group pacing timer 240 secs
Interface flood pacing timer 33 msecs
Retransmission pacing timer 66 msecs
Number of external LSA 1. Checksum Sum 0xbed8
Number of opaque AS LSA 0. Checksum Sum 0x0
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Number of areas transit capable is 0
External flood list length 0
IETF NSF helper support enabled
Cisco NSF helper support enabled
Reference bandwidth unit is 100 mbps
Area BACKBONE(0) (Inactive)
Number of interfaces in this area is 1
Area has no authentication
SPF algorithm last executed 01:15:41.160 ago
SPF algorithm executed 1 times
Area ranges are
Number of LSA 1. Checksum Sum 0xdb44
Number of opaque link LSA 0. Checksum Sum 0x0
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0

balaji.bandi · ‎07-07-2022

OSPF header errors
Length 0, Auth Type 0, Checksum 0, Version 0,
Bad Source 0, No Virtual Link 0, Area Mismatch 0,
No Sham Link 0, Self Originated 0, Duplicate ID 0,
Hello 0, MTU Mismatch 0, Nbr Ignored 0,
LLS 0, Unknown Neighbor 0, Authentication 248,

This shows an authentication issue, may be key ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎07-07-2022

"Area BACKBONE(0) (Inactive)".

what is another side device - what message are you getting from another side?

check good video :

http://www.labminutes.com/sec0240_ftd_61_routing_ospf_1

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

engineer467 · ‎07-07-2022

That is a challenge, I do not have access to the other side device.

Its a router ISR4331.

Actually I have replaced the ASA with firepower, OSPF is the only thing not coming up.

balaji.bandi · ‎07-07-2022

check the video check the config, and make sure it is configured correctly :

it says "autonomous system boundary router"

Do you have an old ASA config?

Post below config :

> show runn router ospf

> show ospf neig

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

engineer467 · ‎07-07-2022

Yes I have it-

interface GigabitEthernet1/2
nameif LAN
security-level 100
ip address 10.xx.xx.xx 255.255.255.0
ospf authentication-key *****
ospf authentication message-digest

router ospf 1
router-id xx.xx.xx.xx
network xx.xx.xx.xx 255.255.255.0 area 0
log-adj-changes
default-information originate metric 100000

balaji.bandi · ‎07-07-2022

ok post from FTD below :

> show runn router ospf

> show ospf neig

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

engineer467 · ‎07-07-2022

and this is from firepower cli-

interface Ethernet1/2
nameif inside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address xx.xx.xx.xx
ospf message-digest-key 7 md5 *****
ospf authentication message-digest

router ospf 1
router-id xx.xx.xx.xx
network xx.xx.xx.xx 255.255.255.0 area 0
area 0
timers throttle lsa 0 5000 5000
log-adj-changes detail
default-information originate metric 100000 metric-type 2

balaji.bandi · ‎07-07-2022

old one have this:

ospf authentication-key *****
ospf authentication message-digest

new one :

ospf message-digest-key 7 md5 ***** ( do with normal with out 7 - try and check)
ospf authentication message-digest

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

engineer467 · ‎07-07-2022

let me try it now

balaji.bandi · ‎07-07-2022

When you select this option, two commands are added: ospf authentication and ospf authentication-key key . Click the variable to configure the following:

key —Select the secret key object that contains the password. The password can be up to 8 characters. You can include blank space between two characters. Spaces at the beginning or end of the password are ignored. If the object does not yet exist, click Create New Secret Key at the bottom of the list and create it now.

When you select this option, two commands are added: ospf authentication message-digest and ospf message-digest-key key-id md5 key . Click the variables to configure the following:

key-id —The authentication key ID number, from 1 to 255. You must configure the neighbor router with the same key ID and associated MD5 key.
key —Select the secret key object that contains the MD5 key. The key is an alphanumeric password up to 16 characters. You can include spaces between characters. Spaces at the beginning or end of the key are ignored. If the object does not yet exist, click Create New Secret Key at the bottom of the list and create it now.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

engineer467 · ‎07-07-2022

it looks something like this now-

interface Ethernet1/2
nameif inside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address xx
ospf authentication-key *****
ospf authentication

balaji.bandi · ‎07-07-2022

sure what is the outcome :

> show ospf neig

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

engineer467 · ‎07-07-2022

shows blank output

balaji.bandi · ‎07-07-2022

> show ospf traffic

post above output - Hope you able to ping other side IP address ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

engineer467 · ‎07-07-2022

Yes it pings.

output-

OSPF Router with ID (xx) (Process ID 1)

OSPF queue statistics for process ID 1:

InputQ UpdateQ OutputQ
Limit 0 200 0
Drops 0 0 0
Max delay [msec] 0 0 0
Max size 1 0 1
Invalid 0 0 1
Hello 1 0 0
DB des 0 0 0
LS req 0 0 0
LS upd 0 0 0
LS ack 0 0 0
Current size 0 0 0
Invalid 0 0 0
Hello 0 0 0
DB des 0 0 0
LS req 0 0 0
LS upd 0 0 0
LS ack 0 0 0

Interface statistics:

Interface inside

Last clearing of interface traffic counters never

OSPF packets received/sent
Type Packets Bytes
RX Invalid 0 0
RX Hello 0 0
RX DB des 0 0
RX LS req 0 0
RX LS upd 0 0
RX LS ack 0 0
RX Total 0 0

TX Failed 0 0
TX Hello 249 21304
TX DB des 0 0
TX LS req 0 0
TX LS upd 0 0
TX LS ack 0 0
TX Total 249 21304

OSPF header errors
Length 0, Auth Type 0, Checksum 0, Version 0,
Bad Source 0, No Virtual Link 0, Area Mismatch 0,
No Sham Link 0, Self Originated 0, Duplicate ID 0,
Hello 0, MTU Mismatch 0, Nbr Ignored 0,
LLS 0, Unknown Neighbor 0, Authentication 248,
TTL Check Fail 0

OSPF LSA errors
Type 0, Length 0, Data 0, Checksum 0

Summary traffic statistics for process ID 1:

OSPF packets received/sent

Type Packets Bytes
RX Invalid 0 0
RX Hello 0 0
RX DB des 0 0
RX LS req 0 0
RX LS upd 0 0
RX LS ack 0 0
RX Total 0 0

TX Failed 0 0
TX Hello 249 21304
TX DB des 0 0
TX LS req 0 0
TX LS upd 0 0
TX LS ack 0 0
TX Total 249 21304

OSPF header errors
Length 0, Auth Type 0, Checksum 0, Version 0,
Bad Source 0, No Virtual Link 0, Area Mismatch 0,
No Sham Link 0, Self Originated 0, Duplicate ID 0,
Hello 0, MTU Mismatch 0, Nbr Ignored 0,
LLS 0, Unknown Neighbor 0, Authentication 248,
TTL Check Fail 0

OSPF LSA errors
Type 0, Length 0, Data 0, Checksum 0