I am trying to establish OSPF between two Cisco routers and an HA configured pair of Checkpoint firewalls the reside on the same LAN segment. The two routers form a good adjacency, but the routers will not form an adjacency to the Checkpoints. The neighbor status shows exstart/drother, then go down, then back to exstart/drother. We have verified the MTU sizes and hello, dead, wait and retransmit times are the same. I am showing sent and received packets from the Checkpoints. Has anyone had this issue?
Since the router is stuck in exstart stage, I suspect MTU.
However the MTU of both systems match, I have seen adjacencies between Cisco switches and routers fail because of this.
Try thee ip ospf ignore-mtu interface command, and see what happens.
Also try to disable link-local signalling between non-cisco devices with the ip ospf lls disable interface command. This is recommended in case the device is not in compliance with RFC 2328.
* Please rate ALL posts.
The Checkpoint FW probably doesn't support local link signaling (LLS), which is used for the support of NSF. Generally speaking, they should just ignore the extraneous information if they don't support it.
Fortunately, the following knob has been added to disable LLS on the IOS side to interoperate with other vendors not supporting LLS:
router ospf x
no capability lls
Hope this helps,
Set the checkpoints ospf to priority 0. I have checkpoint on nokia platform and they are configured to never ever ever be the designated router. Let the routers be the designated router and life is much better.
Working with the Checkpoint vendor, we found the issue. It was a firewall policy that was not allowing packets from the routers through to the firewalls. Following the CheckPoint documentation, the policy was only allowing the multicast addresses, not the specific router IP addresses.