11-30-2013 09:13 PM - edited 03-07-2019 04:51 PM
Hi All,
I am hoping someone can help me with this problem because I am stumped.
I have two routers, R1 which is a 2821 and R2 which is a 1841 in a router on a stick configuration.
I am trying to setup OSPF between the routers but both routers are stuck with the neighbor status EXSTART/BDR.
I have done some research on this issue and most of the time this issue is caused by a MTU mismatch on the router interfaces.
I have checked both routers interfaces and they both using an MTU of 1500 bytes and I am not getting any MTU mismatch messages when I do a debug ip ospf adj.
Further to this I have checked for MTU issues with ping x.x.x.x df-bit size 1500 on both routers.
I have narrowed down the issue to a problem with NAT. As soon as I remove "ip nat outside" from GigabitEthernet0/1 on R1 the issue disapears and OSPF neighbor status changes from EXSTART/BDR to FULL/DR
The strangest part about all this is I was using a 2801 previously for R2 and I had no issues at all. I have even tried a few diffrent IOS versions to rule out any IOS bugs.
R1 Config
interface GigabitEthernet0/1
ip address 10.60.133.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
end
interface Vlan1
ip address 10.180.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip nat inside source route-map INTERNET interface GigabitEthernet0/0 overload
ip nat inside source route-map LAB interface GigabitEthernet0/1 overload
access-list 1 permit 10.0.0.0 0.255.255.255
route-map INTERNET permit 10
match ip address 1
match interface GigabitEthernet0/0
route-map LAB permit 10
match ip address 1
match interface GigabitEthernet0/1
router ospf 1
passive-interface default
no passive-interface GigabitEthernet0/1
no passive-interface Vlan1
network 10.60.133.1 0.0.0.0 area 0
network 10.180.1.254 0.0.0.0 area 0
R2 Config
interface FastEthernet0/1.101
encapsulation dot1Q 101
ip address 10.60.133.6 255.255.255.248
end
router ospf 1
log-adjacency-changes
summary-address 10.48.0.0 255.240.0.0
redistribute bgp 65133 subnets
passive-interface default
no passive-interface FastEthernet0/1.101
network 10.60.133.6 0.0.0.0 area 0
Solved! Go to Solution.
12-01-2013 07:18 AM
Jon,
the IP address of R1's OSPF source interface is 10.60.133.1, so I think this one should be denied in ACL 1:
access-list 1 deny host 10.60.133.1
access-list 1 permit 10.0.0.0 0.255.255.255
Best regards
Rolf
12-01-2013 06:05 AM
Edit -
Sorry i'm having one of those days
Can you post full router config of R1 ?
Jon
12-01-2013 06:42 AM
Sean
Can you try this -
access-list 1 deny 10.60.133.6 0.0.0.0
access-list 1 permit 10.0.0.0 0.255.255.255
Jon
12-01-2013 07:18 AM
Jon,
the IP address of R1's OSPF source interface is 10.60.133.1, so I think this one should be denied in ACL 1:
access-list 1 deny host 10.60.133.1
access-list 1 permit 10.0.0.0 0.255.255.255
Best regards
Rolf
12-01-2013 07:21 AM
Rolf
That's what i originally suggested (before i edited the post). But i think the NAT is affecting the return traffic and not the outgoing traffic.
But i could well be wrong
Jon
12-01-2013 06:30 PM
Thank you Jon and Rolf,
Modifying R1's access list 1 fixed the issue
access-list 1 deny host 10.60.133.1
access-list 1 permit 10.0.0.0 0.255.255.255
or
access-list 1 permit 10.180.1.0 0.0.0.255
I didn't think traffic from or to the router would be effected by NAT
Good learning experience for me
Sean
12-02-2013 05:11 AM
Sean / Rolf
I should have stuck with my original acl
I didn't think traffic from or to the router would be effected by NAT
I didn't either to be honest and i'm still not sure exactly what the router is doing in this case.
Jon
12-02-2013 07:48 AM
Sean and Jon,
I didn't think traffic from or to the router would be effected by NAT
They have been showing that very special scenario in the Cisco Live presentation "BRKRST-3310 - Troubleshooting OSPF" for a couple of years now, otherwise I wouldn't either have known it.
A debug in a simple gns3 lab produced some interesting output:
Dec 2 15:46:00.379: OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet0/0 from 10.60.133.1
Dec 2 15:46:00.379: NAT: map match INTERNET
Dec 2 15:46:00.379: NAT: translation failed (F), dropping packet s=10.60.133.1 d=224.0.0.5
Dec 2 15:45:45.595: OSPF: Rcv hello from 2.2.2.2 area 0 from FastEthernet0/0 10.60.133.6
Dec 2 15:45:45.599: OSPF: Send immediate hello to nbr 2.2.2.2, src address 10.60.133.6, on FastEthernet0/0
Dec 2 15:45:45.599: OSPF: Send hello to 10.60.133.6 area 0 on FastEthernet0/0 from 10.60.133.1
Dec 2 15:45:45.603: NAT: map match INTERNET
Dec 2 15:45:45.603: NAT: translation failed (E), dropping packet s=10.60.133.1 d=10.60.133.6
NAT error code (E) stands for "Inside to outside fails after routing", unfortunately I couldn't find out what (F) means. Probably it's something about the multicast destination address.
Thanks for the feedback,
best regards
Rolf
12-02-2013 08:03 AM
Rolf
This is why i am confused -
NAT error code (E) stands for "Inside to outside fails after routing",
but the packet isn't coming from the inside interface, it's being sourced from the outside interface.
I thought NAT worked in that a packet arrives on the inside interface, matches the "ip nat inside" and the acl defining what traffic to NAT and then gets translated when it leaves the outside interface (with "ip nat outside"). In this case the packet being sourced by the router only leaves the outside interface so i cant see how NAT gets involved.
Any thoughts/explanations ?
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide