10-22-2010 05:25 AM - edited 03-06-2019 01:41 PM
Hi Friends,
Ospf neighborship is not coming up.Please help.
sh ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
N/A 0 DOWN/ - - 10.224.16.122 outside
Firewall 1
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.224.16.122 255.255.255.248 standby 10.224.16.123
ospf network point-to-point non-broadcast
router ospf 1
network 10.224.16.120 255.255.255.248 area 0
network 10.224.131.104 255.255.255.248 area 0
neighbor 10.224.131.106 interface outside
log-adj-changes
route outside 10.224.131.104 255.255.255.248 10.224.16.122 1
route outside 10.224.131.106 255.255.255.255 10.224.16.122 1
Firewall 2
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.224.131.106 255.255.255.248 standby 10.224.131.107
ospf network point-to-point non-broadcast
router ospf 1
network 10.224.16.120 255.255.255.248 area 0
network 10.224.131.104 255.255.255.248 area 0
network 203.132.216.0 255.255.255.0 area 0
neighbor 10.224.16.122 interface outside
log-adj-changes
route outside 10.224.16.120 255.255.255.248 10.224.131.106 1
route outside 10.224.16.122 255.255.255.255 10.224.131.106 1
10-22-2010 05:49 AM
Hi ,
The adjacency will not come up.The TTL of the OSPF packet is 1.
Dan
10-22-2010 06:39 AM
Hello Amitak,
adiajcency = to be in the SAME IP subnet
you cannot achieve OSPF neighborship over different IP subnets
this is by protocol design.
Every internal Gateway Protocol including RIP, RIPv2, EIGRP, OSPF requires this.
you need to enable OSPF also on device(s) in the middle
Hope to help
Giuseppe
10-25-2010 01:21 AM
Hi,
Thanks for you reply.
I was refering the document
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml .The Ospf neighborship is being achieved with differnt ip segments ver VPN. I have a similar requirement and have done Crypto configuration too.
Can u please suggest ?
10-25-2010 03:14 AM
Hello Amitak,
I would suggest to use point to point GRE tunnels defined on the two routers.
the devices performing IPSec will encrypt traffic of the GRE tunnels
This is a well known configuration that can work
the ACL for the crypto map will have a line like
access-list 111 permit gre host A.B..C.D host E.F.G.H
on one side
access-list 111 permit gre host E.F.G.H host A.B..C.D
(mirrored ACLs)
the tunnel interface on R1 will be something like
interface tunnel12
ip address 10.10.100.1 255.255.255.252
tunnel source A.B.C.D
tunnel destination E.F.G.H
on other device R2:
interface tunnel12
ip address 10.10.100.2 255.255.255.252
tunnel source E.F.G.H
tunnel destination A.B.C.D
in this way you can run OSPF over the common IP subnet 10.10.100.0/30
router ospf
network 10.10.100.0 0.0.0.3 area 0
Note:
devices in the middle must be able to route traffic towards addresses used by IPSec endpoints.
Hope to help
Giuseppe
10-25-2010 04:04 AM
This is quite helpful. But the device i am using is Cisco ASA and its
not supporting GRE tunnels.Your guidance would be of great help.
10-25-2010 04:57 AM
If the asa is the middle device you can use the GRE Passthrough. If the ASA is actually doing OSPF, you can set-up an ipsec tunnel and adding the remote device as a unicast neighbor, using the neighbor command in the ospf configuration. This can also be done in ASDM.
you will find an example here:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide