OSPF Initial/ Drother

I had this question after viewing Stuck in INIT/DROTHER.

I have the same problem? OSPF INIT/Drother between Cisco Switch L3 and Cisco Firewall ASA?
I checked everything all the configuration.It looks good however it doesn’t work? I don’t really understand why?
Dar MazurekAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
Can you, please, provide sanitized configurations, connection interface and output from at least:
sh ip ospf data
sh ip int brief
sh ip int status
debug ip ospf hello

Reasons for OSPF to be stuck in init phase are:
- subnet mask don't match
- area don't match
- authentication
- area flags don't match
- hello/dead intervals don't match
- access-list filters OSPF packets (firewall rules)
Dar MazurekAuthor Commented:
Hello,
Thank you for your answer. I am going to send you all info that you requested.

Dar
ospf-problem.txt
JustInCaseCommented:
ASA is blocking incoming traffic from OSPF neighbor(s)

d.
ASA# debug ip ospf hello
OSPF hello events debugging is on
ASA#
OSPF: Send hello to 224.0.0.5 area 0 on DMZ from 192.168.15.62
OSPF: Send hello to 224.0.0.5 area 0 on Inside from 10.13.14.2
OSPF: Send hello to 224.0.0.5 area 0 on DMZ from 192.168.15.62
OSPF: Send hello to 224.0.0.5 area 0 on Inside from 10.13.14.2
OSPF: Send hello to 224.0.0.5 area 0 on DMZ from 192.168.15.62
OSPF: Send hello to 224.0.0.5 area 0 on Inside from 10.13.14.2

There is no incoming OSPF hello packets on ASA in debug, just outgoing packets.

Switch is receiving OSPF from ASA:

Jan  6 2019 12:54:56.321 Chicago: OSPF-1 HELLO Gi1/0/2: Rcv hello from 172.31.0.1 area 0 10.13.14.2
Jan  6 2019 12:54:56.321 Chicago: OSPF-1 HELLO Gi1/0/2: No more immediate hello for nbr 172.31.0.1, which has been sent on this intf 2 times
Jan  6 2019 12:54:56.740 Chicago: OSPF-1 HELLO Gi1/0/2: Send hello to 224.0.0.5 area 0 from 10.13.14.1

To move into 2way phase OSPF router need to find itself routerID in hello packet.
- ASA does not receive OSPF hello packets, so it is unable to send packet with switch routerID in it
- switch receive hello packets from ASA, place itself routerID into hello packet, but it is never received by ASA

Check firewall rules and access-lists. You need to permit traffic for ospf multicast 224.0.0.5 224.0.0.6 and unicast  to at least specific addresses of neighboring routers, not all OSPF traffic is multicast. OSPF protocol number is 89 (if you want to simplify and permit all OSPF traffic coming to router).
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Dar MazurekAuthor Commented:
Thanks for this. Yes this is probably the problem. I figured out the same conclusion.
Let me check it. I will post the info here ASAP.

Best and thank you.

Dar
JustInCaseCommented:
You're welcome.
Dar MazurekAuthor Commented:
HI,

I checked it. It does not work. Its not firewall and ACL. (ACL is only on interface Outside)

ASA# sh run int gi1/2
!
interface GigabitEthernet1/2
 nameif Inside
 security-level 100
 ip address 10.13.14.2 255.255.255.252

ASA# sh run | i access-group
access-group WAN-SERVER01 in interface Outside
JustInCaseCommented:
Still traffic is dropped along the way somewhere, otherwise there would be OFPF hello packets received on interface.
Dar MazurekAuthor Commented:
Hi,
Yes I know that. But I don’t know why the traffic is dropped if no ACL and firewall rules on the interface Inside on ASA is aplayed
Dar MazurekAuthor Commented:
I am sure for 100 % that the mulicast traffic is blocking by ASA. The problem is that I don’t know what is blocking it? Any suggestions...

Best,

Dar
Dar MazurekAuthor Commented:
Hello,

Its for you. Its bug. Omg !

Cisco Bug: CSCvg78868 - [ENH] LLS TLV Support for OSPF in ASA and FTD
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvg78868

I spend all weekend to figure out what is going on my ASA. Finally I found it on logs:
Jan 06 2019 23:19:24: %ASA-4-409003: Received invalid packet: Bad LLS TLV length from xxx
This is exactly the bug! Cisco should paid me over time:)

Thank you.
Dar MazurekAuthor Commented:
Anyway thanks for your help.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JustInCaseCommented:
Thanks for feedback.
Dar MazurekAuthor Commented:
I did it on the Switch:
Switch(config-if)#ip ospf lls disable
And now everything is working perfect.

ASA# sh ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
172.31.0.2        1   FULL/BDR        0:00:38    10.13.14.1      Inside
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.