Re: OSPF ABR not getting updated

Chris_78 · ‎09-12-2018

Hi Guys

Below is my topology (sorry for the noobish drawing). For some reason router B can't get any advertisements from router C. The only way to get that to work is if I redistribute the directly connected networks on router C... Both devices are in Full status and this is a broadcast network. I believe something is wrong with this design. Any info is greatly appreciated!

Regards!

Chris

evlaa1990 · ‎09-12-2018

Can you post the config of router B & C?

Are the interfaces between Server (in green) and 10.13.0.0/23 (in blue) UP/UP?

Chris_78 · ‎09-12-2018

I won't be able to post the config since these are not cisco devices. :(
and yes the interfaces are up!

Chris_78 · ‎09-12-2018

Router C is considered as Backup DR vs Router B DR if that makes sense

evlaa1990 · ‎09-12-2018

OK - what type of devices are they?

Assuming router B connects to servers via another device/ network, is that running OSPF? Area set correctly, forming neighbour relation correctly? Same with the other network?

paul driver · ‎09-12-2018

Hello

@Chris_78 wrote: I believe something is wrong with this design. Any info is greatly appreciated

Not really, However in relation to the ospf advertisement this should work, Butnot knowing the vendor platform it would hard to tell whats going on

It would be nice to know how you are advertising these external networks from A & C?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Chris_78 · ‎09-12-2018

Ok here is the truth :)) :
Router A is nexus 3k switch with vpc connection towards router B which is Palo Alto firewall, as you may guess already router C is also Palo Alto firewall.
I’m advertising both subnets on the (so called) router A to router B via 2 separate uplinks - these are area 2.2.2.2 (for some reason didn’t show on the pic) and 3.3.3.3 but NOT area 0.0.0.0.
All devices are coded with RFC 1583 compatibility command.

evlaa1990 · ‎09-12-2018

What is the link type set to on the Palo? Broadcast? P2P?

Can you see LSA’s being sent between devices if you capture packets?

Do do the routes show in the LSDB but not been added to the routing table?

Chris_78 · ‎09-12-2018

Type everywhere is set to Broadcast

And here is output from Router B:

router B> show routing protocol ospf lsdb

VIRTUAL ROUTER: default (id 1)
==========
VR Area ID Orig RTR ID LS ID LSA Type Seq Number CheckSum Age Size
1 0.0.0.0 1.1.1.3 1.1.1.3 type-1 (Router) 0x800001E6 0x0000ABC9 1014 36
1 0.0.0.0 1.1.1.4 1.1.1.4 type-1 (Router) 0x800001E6 0x0000A6CC 1020 36
1 0.0.0.0 1.1.1.3 10.0.100.1/29 type-2 (Network) 0x80000010 0x0000C00F 1019 32
1 0.0.0.0 1.1.1.3 10.18.18.0/23 type-3 (Summary) 0x800001DC 0x000055C5 1562 28
1 0.0.0.0 1.1.1.3 10.22.22.0/23 type-3 (Summary) 0x800001DC 0x0000F81A 1562 28
1 0.0.0.0 1.1.1.3 10.99.99.0/29 type-3 (Summary) 0x800001DD 0x00004E57 476 28
1 0.0.0.0 1.1.1.3 10.99.99.8/29 type-3 (Summary) 0x800001DD 0x0000FD9F 476 28
1 0.0.0.0 1.1.1.3 172.16.2.0/23 type-3 (Summary) 0x80000195 0x00006A67 3 28
1 0.0.0.0 1.1.1.3 192.168.1.0/24 type-3 (Summary) 0x800001DD 0x0000D30B 476 28
1 2.2.2.2 1.1.1.1 1.1.1.1 type-1 (Router) 0x80000503 0x0000BFE4 784 60
1 2.2.2.2 1.1.1.2 1.1.1.2 type-1 (Router) 0x80000474 0x0000C676 800 72
1 2.2.2.2 1.1.1.3 1.1.1.3 type-1 (Router) 0x8000046F 0x00003FE5 1567 36
1 2.2.2.2 1.1.1.3 10.99.99.1/29 type-2 (Network) 0x800001EA 0x0000A8E2 1369 36
1 2.2.2.2 1.1.1.3 10.0.100.0/29 type-3 (Summary) 0x800001DC 0x0000ED1B 1562 28
1 2.2.2.2 1.1.1.3 10.99.99.8/29 type-3 (Summary) 0x800001DD 0x0000FD9F 476 28
1 2.2.2.2 1.1.1.3 192.168.1.0/24 type-3 (Summary) 0x800001DD 0x0000D30B 476 28
1 2.2.2.2 1.1.1.3 1.1.1.4 type-4 (AS summary) 0x80000010 0x00002D09 1094 28
1 3.3.3.3 1.1.1.1 1.1.1.1 type-1 (Router) 0x800004F9 0x00006215 814 48
1 3.3.3.3 1.1.1.2 1.1.1.2 type-1 (Router) 0x8000047A 0x0000A655 760 48
1 3.3.3.3 1.1.1.3 1.1.1.3 type-1 (Router) 0x8000046A 0x00000A10 1567 36
1 3.3.3.3 1.1.1.3 10.99.99.9/29 type-2 (Network) 0x800001E9 0x00005A2A 1369 36
1 3.3.3.3 1.1.1.1 192.168.1.248/24 type-2 (Network) 0x800001E3 0x00009C6B 814 32
1 3.3.3.3 1.1.1.3 10.0.100.0/29 type-3 (Summary) 0x800001DC 0x0000ED1B 1562 28
1 3.3.3.3 1.1.1.3 10.18.18.0/23 type-3 (Summary) 0x800001DC 0x000055C5 1562 28
1 3.3.3.3 1.1.1.3 10.22.22.0/23 type-3 (Summary) 0x800001DC 0x0000F81A 1562 28
1 3.3.3.3 1.1.1.3 10.99.99.0/29 type-3 (Summary) 0x800001DD 0x00004E57 476 28
1 3.3.3.3 1.1.1.3 172.16.2.0/23 type-3 (Summary) 0x80000195 0x00006A67 3 28
1 3.3.3.3 1.1.1.3 1.1.1.4 type-4 (AS summary) 0x80000010 0x00002D09 1094 28
1 1.1.1.4 10.0.100.0/29 type-5 (External) 0x8000000F 0x0000A3B1 1542
1 1.1.1.4 10.13.0.0/23 type-5 (External) 0x8000000F 0x00007C2A 1542
1 1.1.1.4 10.255.12.0/23 type-5 (External) 0x8000000F 0x00009413 1542
1 1.1.1.4 172.16.12.0/23 type-5 (External) 0x8000000F 0x00009163 1542
1 1.1.1.4 192.168.99.0/24 type-5 (External) 0x8000000F 0x0000A946 1542

Chris_78 · ‎09-12-2018

Currently they are working but router C must redistribute its own directly connected networks - that's the main question do we actually need this redistribution at all?
If turn off redistribution on router C , i'm unable to connect back from router B -> subnets on router C, however from subnets on router C i'm perfectly connected to subnets advertised by router B

paul driver · ‎09-13-2018

Hello

@Chris_78 wrote:

If turn off redistribution on router C , i'm unable to connect back from router B -> subnets on router C, however from subnets on router C i'm perfectly connected to subnets advertised by router B -

why are you redistributing anyway ?

Why don’t you just advertised the subnets of each Fw in ospf as inter- area routes?

Router A is nexus 3k switch with vpc connection towards router B which is Palo Alto firewall, as you may guess already router C is also Palo Alto firewall.
I’m advertising both subnets on the (so called) router A to router B via 2 separate uplinks - these are area 2.2.2.2 (for some reason didn’t show on the pic) and 3.3.3.3 but NOT area 0.0.0.0.
All devices are coded with RFC 1583 compatibility command.

When you drop the redistrubution icould it be the fact that PBR is then failing?

Are these two links between A-B load-balancing in ospf?
Does the PBR you have completed use anyone one these as a preffered ospf paths?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Chris_78 · ‎09-13-2018

Hi Guys

Apparently the issue was with router C not configured correctly - OSPF was missing statements under the router C interfaces (attached is screenshot from PA GUI)

Thanks to everyone for contributing - I wasn't expecting such support from the community!

Much appreciated!

Chris_78 · ‎09-12-2018

Here is the output on router A (switch1) - please note I'm running PBR
pushing all the traffic to router B and avoiding Inter-VLAN routing (as I
mentioned that's an actual nexus switch)

SW1# sh ip ospf database network
OSPF Router with ID (1.1.1.2) (Process ID 1 VRF default)

Network Link States *(Area 2.2.2.2)*

Link ID ADV Router Age Seq# Checksum
10.99.99.1 1.1.1.3 1791 0x800001e6 0xb0de - *router B
red interface*

Network Link States *(Area 3.3.3.3)*

Link ID ADV Router Age Seq# Checksum
10.99.99.9 1.1.1.3 1791 0x800001e5 0x6226 *-* *router B
blue interface*
192.168.1.248 1.1.1.1 1316 0x800001df 0xa467 - SVI on router
A (as i mentioned there are 2 nexus switches with identical configurations
1.1.1.1 is the second switch)

SW1# sh ip ospf database summary
OSPF Router with ID (1.1.1.2) (Process ID 1 VRF default)

Summary Network Link States *(Area 2.2.2.2)*

Link ID ADV Router Age Seq# Checksum
10.0.100.0 1.1.1.3 585 0x800001d9 0xf318 - link between
router B and C
10.99.99.8 1.1.1.3 1299 0x800001d9 0x069b
192.168.1.0 1.1.1.3 1299 0x800001d9 0xdb07

Summary Network Link States *(Area 3.3.3.3)*

Link ID ADV Router Age Seq# Checksum
10.0.100.0 1.1.1.3 585 0x800001d9 0xf318
10.18.18.0 1.1.1.3 585 0x800001d9 0x5bc2
10.22.22.0 1.1.1.3 585 0x800001d9 0xfe17
10.99.99.0 1.1.1.3 1299 0x800001d9 0x5653
172.16.2.0 1.1.1.3 827 0x80000191 0x7263

SW1# sh ip ospf database external
OSPF Router with ID (1.1.1.2) (Process ID 1 VRF default)

Type-5 AS External Link States

Link ID ADV Router Age Seq# Checksum Tag
*10.0.100.0 1.1.1.4 29 0x8000000d 0xa7af 0 this is
router C*
10.13.0.0 1.1.1.4 29 0x8000000d 0x8028 0
10.255.12.0 1.1.1.4 29 0x8000000d 0x9811 0
68.74.118.200 1.1.1.4 29 0x8000000d 0x985f 0
172.16.12.0 1.1.1.4 29 0x8000000d 0x9561 0
192.168.99.0 1.1.1.4 29 0x8000000d 0x094e 0 servers on
router C
All these networks are directly connected to router C

I'm looking for the router C output will post that in a bit

Chris_78 · ‎09-12-2018

Here is the output on router C

Router C# show routing protocol ospf summary

==========
router id: 1.1.1.4
virtual router: default
reject default route: yes
redist default route: block
spf calculation delay (sec): 5.00
LSA interval timer (sec): 5.00
RFC1583 behavior: yes
area border router: no
AS border router: yes
LS type 5 count: 7
LS type 11 count: 0
LS sent count: 125
LS recv count: 129
area id: 0.0.0.0
interface: 10.0.100.2
dynamic neighbors:
IP 10.0.100.1 ID 1.1.1.3 - this is router B

Router C# show routing protocol ospf lsdb

VIRTUAL ROUTER: default (id 1)
==========
VR Area ID Orig RTR ID LS ID LSA Type Seq Number CheckSum Age Size
1 0.0.0.0 1.1.1.3 1.1.1.3 type-1 (Router) 0x800001E6 0x0000ABC9 103 36
1 0.0.0.0 1.1.1.4 1.1.1.4 type-1 (Router) 0x800001E6 0x0000A6CC 107 36
1 0.0.0.0 1.1.1.3 10.0.100.1/29 type-2 (Network) 0x80000010 0x0000C00F 108 32
1 0.0.0.0 1.1.1.3 10.18.18.0/23 type-3 (Summary) 0x800001DC 0x000055C5 652 28
1 0.0.0.0 1.1.1.3 10.22.22.0/23 type-3 (Summary) 0x800001DC 0x0000F81A 652 28
1 0.0.0.0 1.1.1.3 10.99.99.0/29 type-3 (Summary) 0x800001DC 0x00005056 1365 28
1 0.0.0.0 1.1.1.3 10.99.99.8/29 type-3 (Summary) 0x800001DC 0x0000FF9E 1365 28
1 0.0.0.0 1.1.1.3 172.16.2.0/23 type-3 (Summary) 0x80000194 0x00006C66 892 28
1 0.0.0.0 1.1.1.3 192.168.1.0/24 type-3 (Summary) 0x800001DC 0x0000D50A 1365 28
1 1.1.1.4 10.0.100.0/29 type-5 (External) 0x8000000F 0x0000A3B1 629
1 1.1.1.4 10.13.0.0/23 type-5 (External) 0x8000000F 0x00007C2A 629
1 1.1.1.4 10.255.12.0/23 type-5 (External) 0x8000000F 0x00009413 629
1 1.1.1.4 172.16.12.0/23 type-5 (External) 0x8000000F 0x00009163 629
1 1.1.1.4 192.168.99.0/24 type-5 (External) 0x8000000F 0x0000A946 629
1 1.1.1.4 192.168.99.0/24 type-5 (External) 0x8000000F 0x00000550 629