OSPF neighbor, preferred route problem

Unanswered Question
Jan 15th, 2008

I have the network shown in the attached file.

I have had problems with this in the past.

The default route is distributed from Verizon BGP into our Internet router OSPF domain then advertised to the rest of the network, as part of our falover scenario.

The PIX firealls are configured with OSPF, the inside networks get the default route from the PIX.

Both PIX firewalls need to have the default route in the route table because they are doing entirely different things. Both Firewall's DMZs need to get to the Internet, have inside networks access their DMZ and failover to DR Interent when HQ Internet is lost.

I am having trouble with the Edge router and Inside 6509 switch preferring the 515 firewall.

I want the Edge router to always use the routes from the 525 PIX for inside and the 6509 to always use the 525 for the default route unless it fails.

The 6509 is also using the PIX 515 as the next hop for Internet. Both PIX firewalls are directly connected to the 6509 in this drawing.

There is another 6509 downstairs that is a neighbor to the 6509 in this drawing, that is getting the default route from the 525 pix as I want.

Looking at the OSPF databases, they all are identical.

The edge router is forming adjacnetcys but isn't the higher Neighbor ID supposed to be preferred? The Internet router is using the 515 firewall.

Internet Router:

Neighbor ID Pri State Dead Time Address Interface

192.168.2.1 1 FULL/DROTHER 00:00:32 2.2.2.3 FastEthernet0/0

192.168.1.1 1 FULL/BDR 00:00:39 2.2.2.2 FastEthernet0/0

The 6509 is also:

6509-#sh ip ospf nei

Neighbor ID Pri State Dead Time Address Interface

192.168.1.1 1 FULL/DROTHER 00:00:30 10.1.7.1 Vlan1

192.168.2.1 1 FULL/DROTHER 00:00:36 10.5.7.1 Vlan5

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.9 (8 ratings)
Loading.
bjornarsb Wed, 01/16/2008 - 04:42

Hi,

As far as I understand you need to use:

ip ospf cost, to manipulate the routing cost on your interfaces.

Your current settings seems to be load-balancing with equal metric.

Neighbor ID is used only for DRouter selection, not route selection.

BR,

Bjornarsb

s.arunkumar Wed, 01/16/2008 - 05:19

To add to above..

here u should also remember that the router which comes first will become DR and the next BDR in the broadcast network.When a new router comes ,even with high priority they cant prempt to change DR/BDR.Thats why u are seeing other routers with low RID as DR/BDR even when the router ID is higher for others.

I think as avove post says adjusting ospf cost is solution..

wilson_1234_2 Wed, 01/16/2008 - 10:54

Thanks for the reply.

Since both PIC firewalls will be working independantly, it was suggested to change the priority on both of them to "0" so they will not form adjacentcies with the inside network and the Edge router.

What are your thoughts on this?

If I do this, would there be trouble in getting the default route to the inside from the Edge router?

s.arunkumar Wed, 01/16/2008 - 21:52

I would like to let you know as the above posts says,DR/BDR has nothing to do with how the routes would be forwarded in a broadcast network.They just for adjacency with all other routers and then floods the update from one neighbor to another neighbor in broadcast network.

If u are going to make PIX int priority 0,it just make ur PIX ineligible for the DR/BDR election,thats all..

If u dont want to make adjacency,then both the connected interface of connected device(point 2 point) of broadcast network type should have priority 0.Hence the neighbor will stuck in 2-way state.

Additionally if u have so much doubt that these happens because of ur DR/BDR u can just make all the broadcast interface as "ip ospf network point-to-point" and then check.Here all would form adjacencey with each other,and no DR/BDR..

arun

shrikar.dange Wed, 01/16/2008 - 22:23

hi

from your diagram there is difference in configuration on both pixs:

The pix 525 and 515 are both running ospf 1 as weel as ospf 2 processes on 2.2.2.2 network.(The procees id has significance only on local router).But the pix 525 is redistributing those ospf 1 networks in to ospf 2 with default information.Whereas pix 515 is not redistributing anything.Hence on dowanstairs 6509 you can see the default route with 525 as next hop.

As all above posts says you need to adjust the costs of the path and pls check the config.The criteria for ospf route selection is follows:

1)intra-area routes

2)inter-area routes

3)external type 1

4)external type 2

In my opinion the pix 515 is being selected beacuase it is sending routes as inter-area routes where as on 525 it is external routes.(I am not sure on this lets hear more)

HTH,

regards,

shri :)

s.arunkumar Wed, 01/16/2008 - 22:49

That was a good point by shrikar..

Now also check ur configuration..u have configured the network 2.2.2.0 in both ospf process 1 and 2 on both the PIX.

remove that from ospf process 2 on both the PIX,and redistribute the process 1 on 2 at PIX 515 (with default information originate).Now since u want 525 to be prefered,set default cost of redistribution at 525 to lower value than from 515.

For incoming routes to inside network,u can do same above for ospf process 1 and adjust the cost of redistribution to prefer 525.

But isnt it better instead of creating multiple process and redistributing ,creating multiple area in one ospf domain and adjusting the cost to prefer 525 for routes going out and in..???

any comments..

arun

wilson_1234_2 Thu, 01/17/2008 - 05:51

I appreciate both of your great replys.

The systems that are operating off of these PIX firewalls are very critical and downtime is minimum.

Also, it is very critical that the default route get distributed from the Edge router from the Provider BGP into our OSPF. That part is working.

I did not configure the firewalls, but I did see some notes that originally there was only one OSPF process and they could not get the default route distributed across the firewall.

Cisco TAC suggested the dual processes.

Here is the routes as they are in the core switches, the difference being the upstairs switch is where the firewalls are connected, the downstairs switch is trunked up to the upstairs switch.

But the interesting thing is that the 515 Firewall is not even in the route on the downstairs switch:

Upstairs Switch

O*E2 0.0.0.0/0 [110/1] via 10.5.7.1, 00:00:04, Vlan5

[110/1] via 10.1.7.1, 00:00:04, Vlan1

Downstairs switch

O*E2 0.0.0.0/0 [110/1] via 10.1.7.1, 2d10h, Vlan1

On adjusting the cost of redistribution, are you talking about adjusting the "cost" of the interface on the 515 firewall to something higher than the default so the 525 is preferred?

s.arunkumar Thu, 01/17/2008 - 20:24

Ok so that was done as the default route cannot cross the firewall...

Now can u check once again the config you provide us on a gif file above is correct or not..Even as i said earlier the u have configured 2.2.2.0 subnet on both ospf process and in 525 u have then done a redistribution also ,but not in 515.

The upstair switch is showing default route via both pix.Now u said earlier that firewall will not cross default route and u also havent done redistribution at 515,then how come two path came for default route here???so pls check if the config u send is right..

also,adjusting the cost of redistribution, I mean for default route.By default the default info originate advertised the routes with cost 1.Now try to manipulate the cost for default route using "default infomation originate metric " and try to prefer via 525.For this first we need to know who is the originator of default route via 515.

U can see this using "show ip ospf database external" at 6509.

arun :)

wilson_1234_2 Fri, 01/18/2008 - 06:39

I appreciate your great reply.

Please bear with me as I want to understand this completely.

After looking at the "show ip ospf database external" on the 6509, it looks like there is another router in play here, althoguh I am not understanding exactly what I am looking at.

The below shows what looks like default route is passing to the 6509 directly from the Internet router:

Routing Bit Set on this LSA

LS age: 87

Options: (No TOS-capability, DC)

LS Type: AS External Link

Link State ID: 0.0.0.0 (External Network Number )

Advertising Router: 2.2.2.1

LS Seq Number: 80000095

Checksum: 0x4A8B

Length: 36

Network Mask: /0

Metric Type: 2 (Larger than any link state path)

TOS: 0

Metric: 1

Forward Address: 0.0.0.0

External Route Tag: 1

I am assuming:

Link state ID = the route being advertised?

Advertising router = needs no explanation

Forward Address = What is 0.0.0.0 telling us?

External Route Tag = what is the significance?

I will get a more detailed drawing and with your kind help, I can understand exactly what is going on here.

The original gif file looks correct, but I will double check. There is also the router in the lower right of that gif file that looks as though it is the advertising router for most of the database.

Also, The default gateway is being distributed to inside network, that is the problem. It looks like it is getting distributed by both firewalls and the inside is preferring the want I don't want.

Let me check everything and I will get back, please bear with me so I can understand what is going on.

wilson_1234_2 Fri, 01/18/2008 - 13:10

I have an updated drawing that is not really different as far as the configs go, I just added the 7206 router.

The 7206 router has a BVI interface in the same subnet as the 515 firewall and a physical interface in the same subnet as the 6509 SVI interface for the VLAN in that subnet.

from the looks of all of the databases, if I am reading it correctly, it looks like the 7206 router is the next hop for most of the routes.

Have the same routes, but the LS Seq Number and checksum number is different on them.

I do not see a default route at all via the 515 PIX.

Also,

I see most of the entries in the database as having a forwarding address of 0.0.0.0, the below was taken from the upstairs 6509:

Routing Bit Set on this LSA

LS age: 1623

Options: (No TOS-capability, DC)

LS Type: AS External Link

Link State ID: 0.0.0.0 (External Network Number )

Advertising Router: 2.2.2.1

LS Seq Number: 800000A1

Checksum: 0x3297

Length: 36

Network Mask: /0

Metric Type: 2 (Larger than any link state path)

TOS: 0

Metric: 1

Forward Address: 0.0.0.0

External Route Tag: 1

s.arunkumar Sat, 01/19/2008 - 04:23

Hi

Is there only one output for default route(0.0.0.0) when giving the cmd "sh ip ospf data external"???

Now here a lot of default routes are being injected into your ospf domain,so i think u should have got some more output there..pls post that too..

Now let me answer ur doubts in above post regarding external lsa output..

Link state ID = the route being advertised

--- yes thats the route,here default

Advertising router = needs no explanation

-- :)

Forward Address = What is 0.0.0.0 telling us?

--- It means the forwarding address is he advertising router itself.Here 2.2.2.1

External Route Tag = what is the significance?

--- Its used to classify packets or to identify,eg: when ospf domain is seperated by other routing protocols (hence where redistribution will be done)and to retain the same routes at other end domain.I find no signficance here..

Now let me tell u some behaviour for type 5 lsa..

When a type 5 lsa is received by the router inside the ospf domain,the router will look at the forwarding address for reachability.Here its 2.2.2.1,Then it tries to find how it reaches there.In ur case i think the upstair 6509 has reachability towards 2.2.2.1 via two equal path,ie via 515 and 525.hence it shows two entries in routing table.

Now i think your downstair 6509 is prefering default route originated by 525.Hence it is point towards only 525.But here again a confustion .As per dia. your downstair 6509 is directly connected to upstair and they are ospf neighbor.Then how come the default route next hop is 525,not 6509 at upstair???Isnt it any layer3 link???

Now lets sort out this..

Can u just give me specificaly the requirements u need for this setup??Withthe little experience i got let me try to give some suggestions in configuration to acheive it..

s.arunkumar Sat, 01/19/2008 - 10:34

Hi

I just simulated your network(used two routers instead of PIX).Let me share what i got..

When i configured 2.2.2.0 under ospf process 2 and 1 (as per ur config) the router corresponding to 6509 was not

getting networks redistributed from ospf 1.

Your configuration was working for me properly when i configured 2.2.2.0 network under ospf process 1 only.The default route was taking via 525(ie,had entry for routing table via 525 only).

Also,in my above post i missed to mention a point regarding route tag.The tag value is by default your ospf process

id.So the external route tag you see is 1.(ie,the process id of internet router,which is redistributing default route).

I dont understand why the default route entry at 6509 is by type 5 originated from internet router,but not of by type 5 originated at 525 for your network.This was working properly for me when i simulated the same..

How is your return traffic from internet reaching your internal network??The configuration you provided doesnt

put a route for internal network at internet router !!!!!

arun

wilson_1234_2 Sat, 01/19/2008 - 11:04

I appreciate your replys.

The overall goal is to have the Default Route distributed from provider BGP into OSPF.

We need this to be dynamic so that when we loose HQ Internet link, the Internet link from our DR side (distributed from 7206 router with a higher AD)will take over and HQ Internet path is then via DR.

There are two PIX firewalls because our main web server is in DMZ of 525 PIX and another department has a Web Server in 515 PIX. All user traffic to Internet goes through PIX 525, but both PIXs need to have Internet DG to be dynamic.

This was all working for the most part, I had had some trouble with the 515 PIX before, but rebooting it would straighten out the OSPF procceses ( Ithink there is an underlying problem with the OSPF config causing these problems).

I recently reset the upstairs 6509 switch blade, which has both 525 and 515 firwall inside interfaces. This caused the problem I now have.

The Internet router is getting inside routes from ospf, but for the most part, the only destination for outside traffic is the NATed addresses in the same subnet as the Internet router ethernet interface.

I do not understand either why the default route for 6509 is via Internet router and not PIX firewall.

The downstairs 6509 has a trunk to the upstairs 6509, the upstairs 6509 has both Firewall inside interfaces linked to ethernet ports in different VLANs.

s.arunkumar Sun, 01/20/2008 - 21:48

Hi

Ok got the requirement.As i mentioned earlier i simulated the network and was working fine with me when removing the entry 2.2.2.0 from ospf process 2.

I believe ur setup was working properly and the resetting of switch blade caused all the problem..

I know its a live setup ,but can u just try removing those entry from ospf process 2 try to reset the ospf process with the both PIX.The reason i said this was,while i was simulating your network ,once a caught up in a situation where the default entry at a router(515) was taking via (525),ie it was learning one originated via 525(ie,via ospf inside domain,process 2),but not via internet router.It may be because the ospf process 2 came first before 1.

I reseted the ospf process with " clear ip ospf process " and then was working proper for me..

I think more expert advise is also needed here to sort this out....... :)

As u mentioned the whole config went so b'cas default route not crosses the PIX.Can u just conform if this is true..???

arun

wilson_1234_2 Mon, 01/21/2008 - 06:57

No that is not correct.

The default route does cross the PIXs (both of them).

The problerm is that the upstairs 6509 is preferring the 515 PIX and I want it to prefer the 525 ALWAYS.

I appreciate your input.

s.arunkumar Mon, 01/21/2008 - 19:41

u didnt got what i mean...

I was mentioning abt what u said in one of the post that U read somewhere that running one ospf process had the problem of passing through the default route in PIX,and the tac suggested to go for two process...

If the pix can pass then isnt it better to have one process in PIX,hence one ospf domain for internal network.For 6509 just manipulate the cost via 525 to prefer it..??

arun

wilson_1234_2 Fri, 01/25/2008 - 08:15

I see,

Yes it is better to have a single process.

I want to move to that config.

I will see if it will work for me and let you know.

Actions

This Discussion