cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2401
Views
0
Helpful
9
Replies

OSPF over redundant IP-SEC-Tunnels

gaigl
Level 3
Level 3

Hello,

please see attached scenario!

we have to 3 Branches, to each a SDSL-Connection (tunnel1,8,16), terminating on HQ_1 and a ADSL-Connection (tunnel 100,108,116) terminating on HQ_2.

The HQ's are connected with FastEthernet to the Firewall and on the inside is running HSRP

The tunnels (each a /30 transfer-network) are part of OSPF-Areas as listed. So far everythings fine.

Problem:

If I want to switch to the ADSL connection (raising the bandwidth-parameter of the tunnel-interface), the Branch-Router immediatly changes its routes to HQ, but the return-traffic comes over the SDSL (I see it in "sh crypto engine connection active).

So i had a look at the OSPF Database of HQ_1 and HQ_2 and there are double entries of the transfer-Nets, the external IP's and so on, but not of the Branch Networks (eg 172.28.0.0)

shoudn't I see this Network over 2 paths?

in the routing-process i've "redistribute connected subnets"

the Router are all 2811

the Firewall is not taking part in OSPF-Routing

thanks

9 Replies 9

Richard Burts
Hall of Fame
Hall of Fame

Karl

I am not sure that I understand your explanation fully. But I believe that the essence of your problem is that if you change the bandwidth only on the branch router then it affects traffic only in one direction. This produces the symptoms that you describe that traffic uses the ADSL but the return traffic uses the SDSL. You would need to change the bandwidth at HQ as well as at the branch.

HTH

Rick

HTH

Rick

oh sorry I didn't tell you: sure i change the bandwith on both ends of the tunnel (on branch-router and on HQ_2)

so this is not the solution.

Karl

Sorry. So it is clear that I did not fully understand your explanation and your environment.

Just so I am clear, are the tunnels part of the remote area (1 or 8 or 16) and are not part of area 0?

Would you post the output of show ip ospf neighbor from each of the HQ routers?

HTH

Rick

HTH

Rick

Hi Richard,

thank you so far,

the tunnels are Part of the Remote-Areas.

HQ_1#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface

192.168.200.219   1   FULL/DR         00:00:36    $IP_HQ_2    FastEthernet0/1

192.168.200.100   0   FULL/  -        00:00:30    192.168.191.1   Tunnel0

192.168.200.108   0   FULL/  -        00:00:30    192.168.191.9   Tunnel8

192.168.200.116   0   FULL/  -        00:00:39    192.168.191.17  Tunnel16

HQ_2#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface

192.168.200.209   1   FULL/BDR        00:00:36    $IP_HQ_1   FastEthernet0/1

192.168.200.100   0   FULL/  -        00:00:39    192.168.191.101 Tunnel100

192.168.200.108   0   FULL/  -        00:00:33    192.168.191.109 Tunnel108

192.168.200.116   0   FULL/  -        00:00:35    192.168.191.117 Tunnel116

Karl

I believe that I can explain why the routes switch over at the remote but do not switch over at HQ.

Let us start by thinking about the situation at the remote. The remote has 2 neighbors and both are members of the remote area (1, or 8, or 16) so the routes learned from both are intra area routes. With intra area routes OSPF looks at the metric to decide which one to use. So changing the bandwidth will change the metric and the result is that you can change which path the remote will use.

Then let us think about the situation at HQ. Each HQ router sees the remote as a neighbor over the tunnel which is in the remote area. So routes learned via the tunnel are intra area routes. The HQ routers are also neighbors through area 0. And the HQ router will learn the remote routes from its HQ neighbor but will learn them as inter area routes. OSPF always prefers to use intra area routes over inter area routes and does not use the metric to decide which path to use. So even though you have changed the bandwidth (and therefore changed the metric) OSPF is not considering the metric but only the intra or inter area route. And since you are running HSRP at HQ traffic from HQ toward the remote will always arrive at the same router. And that router will always choose its intra area route rather then the inter area route it learned from its HQ neighbor.

If you want the routes to switch over at HQ then perhaps you can change the priorities for HSRP so that the other router becomes HSRP primary?

I am not real clear about only one copy of the route in the OSPF data base. Is it possible that you are seeing the entry for the local (intra area) route and that there is also an entry for the inter area route in another section of the data base?

HTH

Rick

HTH

Rick

Hi Rick,

thank you so far,

but there are some things different:

the BRANCH Network is in both HQ an E2-Route, and it does not appear anywhere else in the Database.

the HQ_1 Router learns the e.g. the Transfer-Network of the HQ_2 as an intra-area Route (Code O) and vice versa, there you are right, but the HQ... doesn't learn the BRANCH-Network as an intra-area Route (as 2. entry in the Database)

hmmm...

maybe there is any quit stupid Problem?

Hello Karl,

the branch routes are seen as O E2 as a result of redistribute connected subnets on branch router.

Now, an O E2 route is learned via an LSA type 5 where the branch router acts as ASBR node and is the LSA originator.

It is correct that you see only one copy of LSA type 5 in the OSPF database because LSA type 5 are flooded in all the OSPF domain.

You should see in area 0 two different LSA type 4  ASBR summary routes describing the branch router OSPF router-id.

Routing to an external destination in OSPF means routing to the ASBR OSPF router-id, so there is only one copy of the LSA tpye 5 as the IP prefix is only one and only one branch router is injecting it in the  OSPF domain. However, there may be multiple paths to the ASBR node.

Hope to help

Giuseppe

Hello Giuseppe,

thank you for this explanation, now I don't need wonder about this, ok.

Now, back to the problem with the return traffic:

is HSRP responsible for the different return-path?

If I undestand this correct, the HQ_1-router has only one route to the branch-network, so he doesn't even consider about routing over HQ_2, correct?

So the only wa would be to change HSRP.

Thanks

Karl

Hello Karl,

I agree changing HSRP master on HQ would make return traffic to be sent to HQ_2 hub router and would go back on the tunnels built on the ADSL links.

  Changing HSRP active should be more clean and effective as the current HSRP setup does not reflect the idea to prefer routes over ADSL links.

You would need a logical link in same area x between HQ_1 and HQ_2 for each branch site in area x to build a routed diversion HQ_1 - HQ_2 - branch as explained by Rick as you cannot compare intra area route to inter-area route.

So you would need a direct link between HQ_1 and HQ_2 with 3 vlan subinterfaces to build those logical links (one per remote branch)

So acting on HSRP is  more clean by far.

Hope to help

Giuseppe