cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3925
Views
35
Helpful
25
Replies

OSPF and VPN

Dima Dvorcovoy
Level 1
Level 1

Problem: OSPF does not injects routes from VPN interfaces
I have an ASR router and linux PC with network connected to it.
ASR:

Cisco IOS XE Software, Version 16.06.02 Cisco IOS Software [Everest], ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9_NOLI-M), Version 16.6.2, RELEASE SOFTWARE (fc2)

What I want: dial to ASR and then all devices () have to communicate in our campus network without problems.

There are no problems with l2tp connection and PC itself, but although it announces it's network to ASR, I can't see it in route table - so no net for devices. 
configuration:

router ospf 10
router-id 217.21.43.0
no capability lls
area 0 range 10.0.0.0 255.0.0.0
area 1 stub
network 10.144.0.0 0.0.255.255 area 1
network 10.149.8.0 0.0.0.255 area 0
network 10.161.0.0 0.0.255.255 area 1
neighbor 10.175.100.0
default-information originate
distance 15

!

interface Virtual-Template1
ip address 10.161.0.1 255.255.0.0
ip nat inside
> ip ospf network point-to-point
peer default ip address dhcp-pool DVPN
no keepalive
ppp authentication pap LDAPA
ip virtual-reassembly

-----

Status:

Vi2.29 o10a-route PPPoVPDN - 10.161.0.124
Virtual-Access2.29 is up, line protocol is up
Hardware is Virtual Access interface
Internet address is 10.161.0.1/16
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100000 usec,
reliability 255/255, txload 21/255, rxload 36/255
Encapsulation PPP, LCP Open
Open: IPCP
PPPoVPDN vaccess, cloned from Virtual-Template1
Vaccess status 0x0
Protocol l2tp, tunnel id 64801, session id 35903
Keepalive not set

border#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
10.194.0.0 0 2WAY/DROTHER 00:00:10 10.149.8.40 Port-channel2
10.255.255.255 128 FULL/DR 00:00:30 10.149.8.2 Port-channel2
10.175.100.0 0 FULL/ - 00:00:31 10.161.0.124 Virtual-Access2.29
show ip ospf database | inc 10.175
10.175.100.0 10.175.100.0 1750 0x8000000A 0x004A7D 3
border#show ip route | inc 10.175.
# (nothing)

 

But I see correct routing table on PC linux side.


What I really want is simple: to automatically add route 10.175.100.0/24 to Vi XXX every time THIS user calls VPN. There are many other users. Because every time interface and IP changes, 

1 Accepted Solution

Accepted Solutions

I did solution.

It is: to make my own dynamic routing. This script has to be run after successfull connection to edit routeing table.

#!/bin/perl
# The super-dynamic router because Cisco one OSPF does not works because of error in CIFS in CISCO IOS
# V1.1 (c) by Inry, Minsk 2020
$DEVICE='ppp0'; # has to be discovered too
$LOGIN='mjprouter'; # need a special user to do this
$PASSWORD='******'; #no, I did not used THIS password
$ROUTER='';
$MYIP='';
$MYROUTE='10.175.100.0 255.255.255.0';

use Net::Telnet;

#-------------------------------------------------------- find my IP and provider
sub FINDIP {
open C,"ifconfig $DEVICE|" or die "?E-no interface!";
while (<C>){
$MYIP=$1 if m/inet ([\d\.]+)/;
$ROUTER=$1 if m/destination ([\d\.]+)/
};
close C;
$MYIP&&$ROUTER
};

if (FINDIP) { print STDERR "?I-MJP: All ok\n"; exit};

open C,">/var/run/xl2tpd/l2tp-control"; # reconnect
print C "c myconnect";
close C;
sleep(60);

unless (FINDIP) { print STDERR "?W-MJP: Can't reconnect, waiting\n"; exit};

#------------------------------------------------------- find route
$RETRIES=4;
do{$RETRIES-- or die "?E-MJP: can't telnet"} until ($T=new Net::Telnet (Host=>$ROUTER,
Prompt=>'/border[^#]*#/',
# dump_log=>'mjp.log', # debug!
Timeout=>10
));
$T->login($LOGIN,$PASSWORD);
#$T->cmd('terminal length 0'); #no need - its already short
$ESCAPEDROUTE=$MYROUTE;
$ESCAPEDROUTE=~s/\./\\./g;
@cfg=$T->cmd("show run | inc ip route $ESCAPEDROUTE"); #filter router side

#------------------------------------------------------- edit routing table
$ALLOK=0;
$T->cmd('configure terminal');
for (@CFG) {
if (m"$MYIP") {$ALLOK=1} #delete only extra routes
else {$T->cmd("no $_")};
};
$T->cmd("ip route $MYROUTE $MYIP") unless $ALLOK; #do not insert if already has one
$B=$T->cmd("exit");
$T->close;
print STDERR "?I-MJP: router table fixed\n";
___END___

View solution in original post

25 Replies 25

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @Dima Dvorcovoy 

you are close to your target.

For OSPF in order to install a route contained in an LSA the router must come from an OSPF neighbor with state FULL and this is your case.

You have used the ip ospf network point-to-point

can you post the

show ip ospf interface Virtual-Access2.29

 

There was an old option for OSPF on demand circuit that disables the sending of OSPF hellos to avoid to keep the dialup link up only for sending OSPF hellos ( from ISDN age  out of Germany yo had to pay for each second the B channel was in use..)

 

the two parts must agree on the network type in order to have the prefix installed in the routing table

 

have you put the equivalent of "ip ospf network point-to-point " on the Linux PC ?

 

Hope to help

Giuseppe

 

 

 

border#show ip ospf interface Virtual-Access2.29
Virtual-Access2.29 is up, line protocol is up
Internet Address 10.161.0.1/16, Interface ID 80, Area 1
Attached via Network Statement
Process ID 10, Router ID 217.21.43.0, Network Type POINT_TO_POINT, Cost: 1
Topology-MTID Cost Disabled Shutdown Topology Name 0 1 no no Base
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40
Hello due in 00:00:07
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Can be protected by per-prefix Loop-Free FastReroute
Can be used for per-prefix Loop-Free FastReroute repair paths
Not Protected by per-prefix TI-LFA
Index 1/11/16, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 50
Last flood scan time is 0 msec, maximum is 1 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 10.175.100.0
Suppress hello for 0 neighbor(s)

 

----- Linux (yes, it emulates Cisco syntax well)

 

o10-router> show ip ospf int ppp0
ppp0 is up
ifindex 8, MTU 1500 bytes, BW 0 Kbit <UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>
Internet Address 10.161.0.124/16, Peer 10.161.0.1, Area 0.0.0.1 [Stub]
MTU mismatch detection:enabled
Router ID 10.175.100.0, Network Type POINTOPOINT, Cost: 10
Transmit Delay is 1 sec, State Point-To-Point, Priority 1
No designated router on this network
No backup designated router on this network
Multicast group memberships: OSPFAllRouters
Timer intervals configured, Hello 10s, Dead 40s, Wait 40s, Retransmit 5
Hello due in 2.489s
Neighbor Count is 1, Adjacent neighbor count is 1

 

o10-router> show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
217.21.43.0 1 Full/DROther 37.759s 10.161.0.1 ppp0:10.161.0.124 0 0 0

 

o10-router> ip route
default via 192.168.1.1 dev enx582c80139263
10.0.0.0/8 via 10.161.0.1 dev ppp0 proto zebra metric 20
10.144.0.0/16 via 10.161.0.1 dev ppp0 proto zebra metric 20
10.161.0.0/16 dev ppp0 proto kernel scope link src 10.161.0.124
10.175.100.0/24 dev enp1s5 proto kernel scope link src 10.175.100.1
...
192.168.1.0/24 dev enx582c80139263 proto kernel scope link src 192.168.1.100

Hello

FYI- I have encountered in the past something similar to this - and the route cause was P2P ospf adjacencies peering between unnumbered and numbered interfaces once those interfaces had parity then the rib table was populated.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

   Can you post the output of "show ip ospf database router adv-router 10.175.100.0" and "show ip ospf neighbor 10.175.100.0 0 detail?

 

Regards,

Cristian Matei.

border#show ip ospf database router adv-router 10.175.100.0

OSPF Router with ID (217.21.43.0) (Process ID 10)

Router Link States (Area 1)

Adv Router is not-reachable in topology Base with MTID 0
LS age: 235
Options: (No TOS-capability, No DC)
LS Type: Router Links
Link State ID: 10.175.100.0
Advertising Router: 10.175.100.0
LS Seq Number: 80000033
Checksum: 0xF7A6
Length: 60
Number of Links: 3

Link connected to: a Stub Network
(Link ID) Network/subnet number: 10.175.100.0
(Link Data) Network Mask: 255.255.255.0
Number of MTID metrics: 0
TOS 0 Metrics: 10

Link connected to: another Router (point-to-point)
(Link ID) Neighboring Router ID: 217.21.43.0
(Link Data) Router Interface address: 10.161.0.124
Number of MTID metrics: 0
TOS 0 Metrics: 10

Link connected to: a Stub Network
(Link ID) Network/subnet number: 10.161.0.0
(Link Data) Network Mask: 255.255.0.0
Number of MTID metrics: 0
TOS 0 Metrics: 10

border#show ip ospf neighbor 10.175.100.0 detail
Neighbor 10.175.100.0, interface address 10.161.0.124
In the area 1 via interface Virtual-Access2.29
Neighbor priority is 0, State is FULL, 18 state changes
DR is 0.0.0.0 BDR is 0.0.0.0
Options is 0x0 in Hello
Options is 0x0 in DBD
Dead timer due in 00:00:38
Neighbor is up for 11:09:02
Index 1/1/1, retransmission queue length 0, number of retransmission 5
First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec

Hi,

 

   The problem is outlined below:

 

            OSPF Router with ID (217.21.43.0) (Process ID 10)

            Router Link States (Area 1)

          Adv Router is not-reachable in topology Base with MTID 0

 

However, per the given outputs, i find no reason for it, and at the same time i find it hard to believe you ran into such an OSPF bug with that ASR version.

   1. Can you re-enable LLS and remove the neighbor statements from the ASR as it's not needed?

   2. On the Linux box, do you run OSPF only in area 1? Do you also perform some redistribution from the Linux box into OSPF?

 

Regards,

Cristian Matei.

 

+++ enabled, removed - still the same result


border#show run | beg ospf

router ospf 10
router-id 217.21.43.0
area 0 range 10.0.0.0 255.0.0.0
area 1 stub
network 10.144.0.0 0.0.255.255 area 1
network 10.149.8.0 0.0.0.255 area 0
network 10.161.0.0 0.0.255.255 area 1
default-information originate
distance 15
!

o10-router>show run

...

interface enp1s5
!
interface enx582c80139263
!
interface lo
!
interface ppp0
description VPN
!
router ospf
ospf router-id 10.175.100.1
network 10.144.0.0/16 area 0.0.0.1
network 10.161.0.0/16 area 0.0.0.1
network 10.175.100.0/24 area 0.0.0.1
area 0.0.0.1 stub

end

!

border#show ip ospf database router adv-router 10.175.100.1

OSPF Router with ID (217.21.43.0) (Process ID 10)

Router Link States (Area 1)

Adv Router is not-reachable in topology Base with MTID 0...

Hi,

 

   Did it got fixed, is the output the same in OSPF database and RIB? I also asked some additional questions about the implementation on Linux side.

 

Regards,

Cristian Matei.


not at all

I use zebra/quagga OSPF and on post above you can see it's config.

Hi,

 

   Do you, by accident have an LSA Type2 from the Linux device? On Cisco side, look into "show ip ospf database network".

 

Regards,

Cristian Matei.

border#show ip ospf database network

OSPF Router with ID (10.149.8.252) (Process ID 10)

Net Link States (Area 0)

LS age: 1118
Options: (No TOS-capability, DC)
LS Type: Network Links
Link State ID: 10.149.8.2 (address of Designated Router)
Advertising Router: 10.255.255.255
LS Seq Number: 800000AF
Checksum: 0x93C6
Length: 140
Network Mask: /24
Attached Router: 10.255.255.255
Attached Router: 10.128.0.0
Attached Router: 10.132.0.0
Attached Router: 10.135.0.0
Attached Router: 10.137.0.0
Attached Router: 10.149.8.252
Attached Router: 10.149.8.253
Attached Router: 10.150.0.0
Attached Router: 10.153.0.0
Attached Router: 10.154.0.0
Attached Router: 10.155.0.0
Attached Router: 10.158.0.0
Attached Router: 10.173.0.0
Attached Router: 10.178.0.0
Attached Router: 10.179.0.0
Attached Router: 10.179.16.0
Attached Router: 10.179.32.0
Attached Router: 10.179.48.0
Attached Router: 10.180.0.0
Attached Router: 10.182.0.0
Attached Router: 10.183.0.0
Attached Router: 10.184.0.0
Attached Router: 10.185.0.0
Attached Router: 10.186.0.0
Attached Router: 10.187.0.1
Attached Router: 10.188.0.0
Attached Router: 10.190.0.0
Attached Router: 10.193.0.0
Attached Router: 10.194.0.0

border#

 

Hello @Dima Dvorcovoy ,

 

change the router-id to 10.175.100.1 on the linux box you are using as Router-id the same address as the base subnet address of the prefix you would like to advertise in OSPF.

 

Being area 0.0.0.1 a stub area the linux box can only use the network command to advertise the LAN subnet no redistribute connected would work

 

Hope to help

Giuseppe

 

Yes, I removed everything from it's configuration. The routing still the same.

 

(Internet)<-mobile broadmand modem<-LINUX ->ethernet (10.175.100.0)
|                                                                    |
|->Border  <---------VPN-(10.161)-------|
      |
      |-> Campus network (10.0/9)

Hi,

   

    I see no reason for which you're seeing this behaviour. Do you have any other Linux devices running OSPF that works with a Cisco neighbor? I would first try to use a "broadcast" network-type on both sides, to see if it works with broadcast network-type, otherwise i would try an upgrade on Cisco device.

 

Regards,

Cristian Matei.

Review Cisco Networking for a $25 gift card