cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2155
Views
10
Helpful
18
Replies
ChrisLuberto
Beginner

Cisco C3650 OSPF with Sonicwall Firewall

I'm in the process of replacing a Sonicwall 2400 with a Sonicwall 2650.  The configuration easily copies over however, when I plug the LAN port (192.168.50.1) of the Sonicwall into the same Cisco interface that the old firewall plugged into,  traffic is not routed to Sonicwalll.  

 

OSPF populates the routes on the new fire wall, I've cleared the ARP table on the layer 3 switch (the MAC address for the new firewall is correct), and 'show ip ospf neighbor' shows the new firewall as a neighbor.  The 'Gateway of last resort' changes to a secondary internet connection when it should remain the same.

 

When I plug the old firewall back in, the 'gateway of last resort' changes back to the primary (192.168.50.1) and traffic routes through the firewall as it should.  The configuration on the firewalls are identical.  Sonicwall tech support was not able to provide a solution.  What am I missing on the Cisco switch side? 

1 ACCEPTED SOLUTION

Accepted Solutions

Solution:  The Sonicwall NSA 2650 is configured for OSPF on X0.  The settings for OSPF (Network > Routing> *Gear Icon*) was set to "When WAN is up" under 'Originate Default Route'.  The NSA 2650 has a known issue that X0 was not broadcasting to OSPF to the router because it never saw the WAN as "up".  Sonicwall provided a hotfix and it is now working correctly.

 

Workaround before hotfix: I set 'Originate Default Route' to "Always"

View solution in original post

18 REPLIES 18
Rafael Carvallo
Beginner

If I understand correctly your firewall should be broadcasting the route towards 0.0.0.0/0 via OSPF, did you make sure SonicWall is doing this? 

 

You said a secondary Gateway, how is it learning it? OSPF?

 

If you are 100% sure the new firewall is broadcasting the default route and still see the traffic routed to the backup one, if both routes are learnt via OSPF did you check the metric? and the external type?

 

External Type 1 routes always win against External Type 2 routes so you have to make sure the new firewall is correctly broadcasting the route with its intended type

 

What's the output of:

show ip route 0.0.0.0 0.0.0.0

 

You could also show the output of:

show ip ospf database external

Hi Rafael,

 

Thank you for your response.  

 

We are broadcasting 0.0.0.0/0 via OSPF.  The secondary gateway is learned via OSPF.

 

This is the ip route of the old firewall that is working:

 

Gateway of last resort is 192.168.50.1 to network 0.0.0.0

O*E1 0.0.0.0/0 [110/11] via 192.168.50.1, 10:49:44, Vlan50
10.0.0.0/24 is subnetted, 1 subnets

 

This is the ip route of the new firewall (with the same configuration as the old firewall) when it is not working:

 

Gateway of last resort is 172.16.4.2 to network 0.0.0.0

O*E1 0.0.0.0/0 [110/52] via 172.16.4.2, 01:00:27, GigabitEthernet1/0/2
10.0.0.0/24 is subnetted, 1 subnets

 

Both appear to be configured as OSPF external 1.  Do you know the command to change 17.16.4.2 to E2?  Should I do that? 

 

show ip route 0.0.0.0 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "ospf 1", distance 110, metric 11, candidate default path, type extern 1
Last update from 192.168.50.1 on Vlan50, 10:59:40 ago
Routing Descriptor Blocks:
* 192.168.50.1, from 192.168.50.1, 10:59:40 ago, via Vlan50
Route metric is 11, traffic share count is 1

 

show ip ospf database external

OSPF Router with ID (192.168.50.2) (Process ID 1)

Type-5 AS External Link States

Routing Bit Set on this LSA in topology Base with MTID 0
LS age: 356
Options: (No TOS-capability, No DC, Upward)
LS Type: AS External Link
Link State ID: 0.0.0.0 (External Network Number )
Advertising Router: 192.168.50.1
LS Seq Number: 80000017
Checksum: 0x2670
Length: 36
Network Mask: /0
Metric Type: 1 (Comparable directly to link state metric)
MTID: 0
Metric: 10
Forward Address: 0.0.0.0
External Route Tag: 0

LS age: 725
Options: (No TOS-capability, No DC, Upward)
LS Type: AS External Link
Link State ID: 0.0.0.0 (External Network Number )
Advertising Router: 192.168.200.254
LS Seq Number: 800047AC
Checksum: 0x1312
Length: 36
Network Mask: /0
Metric Type: 1 (Comparable directly to link state metric)
MTID: 0
Metric: 10
Forward Address: 0.0.0.0
External Route Tag: 0

 

Note: 192.168.200.254 is my secondary firewall which is reached via 172.16.4.2

 

Thanks!

 

Chris

 

 

 

Chris

 

This output shows that you are receiving advertisement of the default route from both firewalls and that they have equal metric. You could assign a higher OSPF cost on the interface connecting to the secondary making its metric a bit higher and then OSPF should choose the default route from your Sonicwall.

 

HTH

 

Rick

HTH

Rick

Chris there's something that doesn't add up.

 

You commented this is the current output of show ip route

 

 

Gateway of last resort is 172.16.4.2 to network 0.0.0.0

O*E1 0.0.0.0/0 [110/52] via 172.16.4.2, 01:00:27, GigabitEthernet1/0/2
10.0.0.0/24 is subnetted, 1 subnets

 

But then show ip route 0.0.0.0 0.0.0.0 shows:

 

Routing entry for 0.0.0.0/0, supernet
Known via "ospf 1", distance 110, metric 11, candidate default path, type extern 1
Last update from 192.168.50.1 on Vlan50, 10:59:40 ago
Routing Descriptor Blocks:
* 192.168.50.1, from 192.168.50.1, 10:59:40 ago, via Vlan50
Route metric is 11, traffic share count is 1

 

Which isn't consistent with the show ip route command, is it possible you made a mistake and this is the information from the old firewall?

 

Same here, the Database shows it's got 2 ASBR, namely 192.168.50.1 and 192.168.200.254 (as you pointed out). Is this the current one or was a mistake and it's showing the old one?

 

OSPF Router with ID (192.168.50.2) (Process ID 1)

Type-5 AS External Link States

Routing Bit Set on this LSA in topology Base with MTID 0
LS age: 356
Options: (No TOS-capability, No DC, Upward)
LS Type: AS External Link
Link State ID: 0.0.0.0 (External Network Number )
Advertising Router: 192.168.50.1
LS Seq Number: 80000017
Checksum: 0x2670
Length: 36
Network Mask: /0
Metric Type: 1 (Comparable directly to link state metric)
MTID: 0
Metric: 10
Forward Address: 0.0.0.0
External Route Tag: 0

LS age: 725
Options: (No TOS-capability, No DC, Upward)
LS Type: AS External Link
Link State ID: 0.0.0.0 (External Network Number )
Advertising Router: 192.168.200.254
LS Seq Number: 800047AC
Checksum: 0x1312
Length: 36
Network Mask: /0
Metric Type: 1 (Comparable directly to link state metric)
MTID: 0
Metric: 10
Forward Address: 0.0.0.0
External Route Tag: 0

Because here you can see the 0.0.0.0/0 being advertised by both firewalls and both have the same advertised metric (10) so the metric towards the ASBR after added to this is the one that decides what route to use.


On your first example it shows it's 11 and on the second shows it's 52, so if those outputs are correct and are the current state s
ome questions:

 

1.- Did you happen by any chance to change the interface cost on the router?

If you didn't

2.- Is the interface connecting at the same speed as with the old firewall? if it isn't and it's a lower speed it's messing with the interface cost

 

E1 routes uses the advertised cost plus the cost towards the ASBR here the costs are the same so it's something related to the costs towards the ASBRs (which are determined by the cost of the interfaces it must travel in order to reach it)

 

Rafael,

 

The show ip route is currently:

 

Gateway of last resort is 192.168.50.1 to network 0.0.0.0

O*E1 0.0.0.0/0 [110/11] via 192.168.50.1, 12:15:55, Vlan50
10.0.0.0/24 is subnetted, 1 subnets

 

When I plug the new firewall in, it changes to the 172.16.4.2 address (which is the secondary route)

 

The interface speeds are the same on the old router and the new router.

 

I did not change any interface costs.

 

How can I alter the advertised cost so that 192.168.50.1 is ALWAYS used and 172.16.4.2 is ONLY used if 50.1 is not available?

Chris,

 

Without touching the costs, just go ahead and make the backup firewall advertise its default route as External Type 2. You should see the option where you configure the redistribution of the route, this way since the main FW broadcast as E1 it'll be always preferred. 

 

You could also change the metric for the advertised route in the backup firewall, make it something big.

Or change the interface metrics

 

Check: https://www.sonicwall.com/en-us/support/knowledge-base/170503340617998

 

HTH

Please rate useful posts

Rafael,

 

I increase the metric and will install the new firewall tonight to see if this configuration change helps.

 

I will update you after I make the change.

 

I appreciate your help.

 

Chris

Rafael,

 

I increased the metric and will install the new firewall tonight to see if this configuration change helps.

 

I will update you after I make the change.

 

I appreciate your help.

 

Chris

Rafael,

 

It seems that the database on my Cisco C3650 does not have the new firewall listed.  However, when I plug the old router in, it is listed.  I reviewed the OSPF settings on both sonicwalls and they appear to be identical.  Any ideas?

 

SCSW01#show ip ospf database external

OSPF Router with ID (192.168.50.2) (Process ID 1)

Type-5 AS External Link States

Routing Bit Set on this LSA in topology Base with MTID 0
LS age: 62
Options: (No TOS-capability, No DC, Upward)
LS Type: AS External Link
Link State ID: 0.0.0.0 (External Network Number )
Advertising Router: 192.168.200.254
LS Seq Number: 800047F2
Checksum: 0xF4DE
Length: 36
Network Mask: /0
Metric Type: 1 (Comparable directly to link state metric)
MTID: 0
Metric: 21
Forward Address: 0.0.0.0
External Route Tag: 0

SCSW01#

 

Thanks,

 

Chris

Chris,

 

Did you make the changes to the main FW? could you paste a screenshot of said config?

 

You should see it in the DB, since you're not means that FW isn't broadcasting the LSA for that route (taking into account the fact that you mentioned the adjacency is up and running)

Attached are screenshots for the backup firewall that is in my datacenter and for the firewall I'm installing.

 

Thanks,

 

Chris

I don't see anything odd in there,

 

The redistribution is constrained to only happen when WAN1 is UP, could you validate whether this is the case in the main FW?

 

The interface UP and IPs and default gateway active. Basically the rule is conditioning the advertisement to this, and since the LSA isn't present in the DB would point to the firewall not seeing its WAN as active

Rafael,

 

I found the solution!  I changed the FW OSPF setting 'Originate Default Route' from "When WAN is up" to "Always".  Once I did that, the new fire wall showed in the OSPF database.  A trace route from a client shows the traffic is routing correctly through the new fire wall.

 

I really appreciate all your help in troubleshoot this.

 

Chris

Good to know it works.

 

However basically you removed the constraint, which I'd not suggest, the constraint is basically what would make you failover to the secondary when the WAN interface is down but the FW is still active. By setting it up to "always" your network will believe that it can reach the internet/other unknown networks over this firewall even if it is not currently possible. 

 

Are you using the firewall's WAN interface? if you're not this explains why wasn't working to start with. But if you're and it's up and running I'd try to find out why it wasn't sending the LSA. 

 

What other options did you have? had one called "Distribute if installed" not tied to an interface?