Layer 2 ASA And OSPF

L2 ASA OSPF

So recently I had to configure an OSPF adjacency between two routers.

I thought simply permitting multicast traffic to the All Routers and All DR/BDR Routers would permit OSPF Hellos across the link and allow OSPF adjacencies to form. In fact what I saw was routers entering the EXSTART state and the neighbourship failing. I checked the manual, for an OSPF adjacency to form, the following conditions need to be satisfied:

– Area IDs need to match

– Neighbours need to be on the same subnet

– MTUs need to match

– Hello/Dead timers need to match

– Authentication (if any is configured)

So, what I saw was the routers entering the EXSTART state and the neighbourship dropping. Bear in mind, at this point, the only thing permitted through the firewall both ways was multicast traffic to 224.0.0.5 (the AllSPF Routers multicast address) using the OSPF protocol (IP protocol 89). So for some reason the DBD exchange was not taking place.

My initial reaction was to check MTU size. I’d seen a similar issue before where an MTU mismatch (jumbo frames on one side, 1500 bytes on the other side) meant while the non-backbone area’s routes made it into the backbone ABR router the backbone area’s routes did not. This turned out to be a red herring, but not a bad idea to check this. Incidentally, I suspected the BVI on the ASA maybe causing problems, or perhaps even the VLAN tagging between inside and outside interfaces, as even though the two connected interfaces across the link were in the same subnet they were being tagged with different VLAN IDs. Seems OSPF doesn’t care what you tag it as because the bridging in the ASA takes care of that issue. For all intents and purposes, the two interfaces are in the same L2 domain.

Further investigation of the problem made me realise that once the initial Hello exchange was complete the DBD exchange took place using unicast transmission. Therefore, I amended the firewall rule to permit OSPF traffic between the unicast subnets relevant to the routers and all was well. A bit of a head scratcher. Seems I’ve forgotten some of my routing from my CCNP revision.

Thanks to this website for a very handy troubleshooting guide:

http://cisco.iphelp.ru/faq/5/ch09lev1sec6.html

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s