2 PIX ,OSPF with two processes, one PIX works, one does not

Unanswered Question
Sep 21st, 2007

I have two PIX firewalls 515 and 525 running 6.3.

The outside interfaces are connected to the edge router via a DMZ switch.

The router and PIX firewalls are running OSPF. Both PIXs are running OSPF on the inside as well, the reason for the two processes.

The idea is for the router to get the default route from the PE router and advertise it to the PIXs which in turn will give the internal network the Default route.

When we loose Internet, the default flips to the DR site.

One PIX is forming adjacentcy with the router ok, the other one is not.

The PIX that is working is showing the OSPF process on the Public subnet as having no Interfaces in it.

The PIX that does not participate in the OSPF process shows as having an interface in that process.

TAC says the PIX that does not work is confused about how to do the route.

The only thing I see is that the PIX not working does not have the outside public subnet in both processes.

Would it be better to configure the public subnet in only the one outside process and distribute it into the other process on the inside network?

The non working PIX is where critical customer servers are and we have lost connectivity due to the OSPF problems and I would like to fix it.

any input on this would be appreciated

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
ebreniz Thu, 09/27/2007 - 13:58

When trying to form an OSPF adjacency, if the remote end is sending fragmented packets, the PIX cannot handle them and keeps retransmitting its previous packets. Make sure there is no mismatch of MTU configured in PIX and router. If there is any mismatch, change the MTU to the same value. I think there is no comparison (metrics or route-type) done with updates from different ospf processes and the latest update gets installed in the routing table. so in your topology, under your current design, it is an expected behavior.

wilson_1234_2 Thu, 09/27/2007 - 15:25

Thanks for the reply.

I had checked the MTU before, but I did find what was causing the issue.

Now the the adjacentcy is working, I am seeing something I do not understand.

The two PIX firewalls are configured with OSPF as shown in the drawing.

The idea is to have the default route distributed from the Edge router to the two pix firewalls so our DR scenario is dynamic.

Everything is working except the 515 PIX is confiured with a static default route.

When removing the static route, the 515 gets the default from the internal core switch and not the edge router.

The other PIX, the 525 is working fine, getting the default from the router and distributing to the internal network core switch.

I can see the default in the 515s database and the advertising router as the edge router, but it is prefering the default route advertised by the switch, which is getting it from the 525.

Could it have anything to do with the edge router on a fastethernet port to the 515 outside interface and the core switch on a gigabit port to the inside interface of the 515?

Also, the route is showing up as an external route, is this because it is being distributed from edge router?

Attachment: 
vijayasankar Sun, 09/30/2007 - 22:30

Hi,

If you could provide the configuration of all the involved devices, it would be really helpful to analyse what is going on.

From the config paste, i could notice that the pix 525 is originating a default route using the command "default-information originate". It is possible that Your internal switch is receiving this route from PIX 525 and sending it back to PIX 515. Based on the received metrics, from pix 515's perspective this route may be a better route than what it was receiving from the edge router.

Check this out and if you need any further help, let us know your design requirements on this network and we will assist you out to draft a suitable configuration for the same.

Hope this helps

-VJ

Actions

This Discussion