Solved: Re: OSPF neighborship flapping in Point to Point network.

Bhavesh Nijap · ‎11-29-2022

OSPF neighborship between Cisco Core Switch and Palo Alto Firewall is flapping in point to point network.

Due to which we have change network type at Palo Alto end as a broadcast now ospf neighborship is stable but not able to reach few IP address of Server connected on Meraki L2 Switch. Few Servers are connected on same switch are reachable also checked the routes for respective subnets are received on Cisco Core switch .We have tried to unplug the servers from Meraki Switch and connected back but still they are not reachable.

At Core Cisco Switch, we are able to see IP ospf network point to point on respective SVI created for these Servers.
Is it due to Ospf network mismatch at Cisco Core Switch and Palo Alto end ?

Giuseppe Larosa · ‎12-02-2022

Hello @Bhavesh Nijap ,

you need to change the OSPF network type to broadcast also on the Cisco core switch SVI towards the Palo Alto FW interface as already noted the two sides must agree on OSPF network type.

You have seen instability when using p2p OSPF network type on both sides, now you have to check OSPF network type broadcast on both sides.

Hope to help

Giuseppe

View solution in original post

MHM Cisco World · ‎11-29-2022

by default the SW use network type broadcast for any ethernet link,
the issue I think
Palo using P2P and SW use broadcast and this mismatch make link flapping.
change Palo to broadcast will solve your issue and that what you did.

can you share


show ip ospf interface 
show ip ospf neighbor

lab below is two router run ospf with each other and with SVI of L3SW.
before I change the network to broadcast from P2P in router 1 the ospf was flapping immediate after change the network the ospf stable.

paul driver · ‎11-29-2022

Hello

@Bhavesh Nijap wrote:

At Core Cisco Switch, we are able to see IP ospf network point to point on respective SVI created for these Servers.
Is it due to Ospf network mismatch at Cisco Core Switch and Palo Alto end ?

May I ask why you changed network type in the first place it was working beforehand, something must have changed for the opsf peering to have begun to flap, if the PA/CISCO/Meraki all share the same multiaccess network segment, then it makes sense for the ospf network type to be broadcast.

Can you post a topology diagram of your network

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Giuseppe Larosa · ‎11-30-2022

Hello @Bhavesh Nijap ,

OSPF nodes must agree on OSPF network type so if you have changed the OSPF network type to standard broadcast on Palo Alto you need to do the same on the Cisco Core switch routed interface or SVI connecting to it.

Consider that broadcast network type requires DR/BDR election and p2p does not.

For the network type mismatch the Palo Alto device is likely not installing the IP prefixes that are listed in the Core switch router LSA.

You need to fix this.

Hope to help

Giuseppe

Bhavesh Nijap · ‎12-02-2022

Hello @MHM Cisco World @paul driver @Giuseppe Larosa
We are migrating Juniper firewalls with Palo Alto Firewalls.

Juniper & Cisco Core Switch are forming Ospf neighborship as a p2p network & Ospf neighborship is in full state mode

When We replace Juniper Firewall with Palo Alto firewalls with same interface & ospf config; Ospf neighborship is flapping continuously. due to which we have change ospf network type to broadcast at Palo Alto end then we are able get routes for 10.0.0.0/24 (application servers) and we can reach to 10.0.0.10 server from Palo Alto firewall but not 10.0.0.20 and 10.0.0.30 server (but these are reachable from cisco Core switch) but when we roll back to Juniper again it is working fine all servers are reachable from Firewall
When we check ospf neighbor it is not in full state , it is showing DRother/Init (it is may be due to ospf network mismatch because ospf behavior in multiaccess network is slightly different than p2p network)

Please find logical diagram for you reference

Any suggestion on this?

MHM Cisco World · ‎12-02-2022

friend there are two case here
using P2P with SVI
using P2P with router-port
which case you use ?

Bhavesh Nijap · ‎12-02-2022

Hello
thanks for responding

it is p2p with SVI

MHM Cisco World · ‎12-02-2022

so if you not config network type under SVI then it by default broadcast
Cisco-Juniper , I dont know about Juniper but if it also by default broadcast type then OSPF is stable

Cisco-Palo , you try change to broadcast and it stable now.

reachability issue ?
it can from OSPF not advertise the route, which we can check it by

show routing route << palo

check of Palo have receive the route from the Cisco Core SW
if Yes
then
reachability is not from OSPF it from default security behave of FW,
it can drop traffic you must allow it.

Giuseppe Larosa · ‎12-02-2022

Hello @Bhavesh Nijap ,

you need to change the OSPF network type to broadcast also on the Cisco core switch SVI towards the Palo Alto FW interface as already noted the two sides must agree on OSPF network type.

You have seen instability when using p2p OSPF network type on both sides, now you have to check OSPF network type broadcast on both sides.

Hope to help

Giuseppe