OSPF  Initial/ Drother

Dar Mazurek
Dar Mazurek used Ask the Experts™
on
I had this question after viewing Stuck in INIT/DROTHER.

I have the same problem? OSPF INIT/Drother between Cisco Switch L3 and Cisco Firewall ASA?
I checked everything all the configuration.It looks good however it doesn’t work? I don’t really understand why?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
Can you, please, provide sanitized configurations, connection interface and output from at least:
sh ip ospf data
sh ip int brief
sh ip int status
debug ip ospf hello

Reasons for OSPF to be stuck in init phase are:
- subnet mask don't match
- area don't match
- authentication
- area flags don't match
- hello/dead intervals don't match
- access-list filters OSPF packets (firewall rules)

Author

Commented:
Hello,
Thank you for your answer. I am going to send you all info that you requested.

Dar
ospf-problem.txt
Distinguished Expert 2018

Commented:
ASA is blocking incoming traffic from OSPF neighbor(s)

d.
ASA# debug ip ospf hello
OSPF hello events debugging is on
ASA#
OSPF: Send hello to 224.0.0.5 area 0 on DMZ from 192.168.15.62
OSPF: Send hello to 224.0.0.5 area 0 on Inside from 10.13.14.2
OSPF: Send hello to 224.0.0.5 area 0 on DMZ from 192.168.15.62
OSPF: Send hello to 224.0.0.5 area 0 on Inside from 10.13.14.2
OSPF: Send hello to 224.0.0.5 area 0 on DMZ from 192.168.15.62
OSPF: Send hello to 224.0.0.5 area 0 on Inside from 10.13.14.2

There is no incoming OSPF hello packets on ASA in debug, just outgoing packets.

Switch is receiving OSPF from ASA:

Jan  6 2019 12:54:56.321 Chicago: OSPF-1 HELLO Gi1/0/2: Rcv hello from 172.31.0.1 area 0 10.13.14.2
Jan  6 2019 12:54:56.321 Chicago: OSPF-1 HELLO Gi1/0/2: No more immediate hello for nbr 172.31.0.1, which has been sent on this intf 2 times
Jan  6 2019 12:54:56.740 Chicago: OSPF-1 HELLO Gi1/0/2: Send hello to 224.0.0.5 area 0 from 10.13.14.1

To move into 2way phase OSPF router need to find itself routerID in hello packet.
- ASA does not receive OSPF hello packets, so it is unable to send packet with switch routerID in it
- switch receive hello packets from ASA, place itself routerID into hello packet, but it is never received by ASA

Check firewall rules and access-lists. You need to permit traffic for ospf multicast 224.0.0.5 224.0.0.6 and unicast  to at least specific addresses of neighboring routers, not all OSPF traffic is multicast. OSPF protocol number is 89 (if you want to simplify and permit all OSPF traffic coming to router).
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Thanks for this. Yes this is probably the problem. I figured out the same conclusion.
Let me check it. I will post the info here ASAP.

Best and thank you.

Dar
Distinguished Expert 2018

Commented:
You're welcome.

Author

Commented:
HI,

I checked it. It does not work. Its not firewall and ACL. (ACL is only on interface Outside)

ASA# sh run int gi1/2
!
interface GigabitEthernet1/2
 nameif Inside
 security-level 100
 ip address 10.13.14.2 255.255.255.252

ASA# sh run | i access-group
access-group WAN-SERVER01 in interface Outside
Distinguished Expert 2018

Commented:
Still traffic is dropped along the way somewhere, otherwise there would be OFPF hello packets received on interface.

Author

Commented:
Hi,
Yes I know that. But I don’t know why the traffic is dropped if no ACL and firewall rules on the interface Inside on ASA is aplayed

Author

Commented:
I am sure for 100 % that the mulicast traffic is blocking by ASA. The problem is that I don’t know what is blocking it? Any suggestions...

Best,

Dar

Author

Commented:
Hello,

Its for you. Its bug. Omg !

Cisco Bug: CSCvg78868 - [ENH] LLS TLV Support for OSPF in ASA and FTD
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvg78868

I spend all weekend to figure out what is going on my ASA. Finally I found it on logs:
Jan 06 2019 23:19:24: %ASA-4-409003: Received invalid packet: Bad LLS TLV length from xxx
This is exactly the bug! Cisco should paid me over time:)

Thank you.
Anyway thanks for your help.
Distinguished Expert 2018

Commented:
Thanks for feedback.

Author

Commented:
I did it on the Switch:
Switch(config-if)#ip ospf lls disable
And now everything is working perfect.

ASA# sh ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
172.31.0.2        1   FULL/BDR        0:00:38    10.13.14.1      Inside

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial