OSPF to Nokia Firewall

Unanswered Question
Jan 30th, 2008

Hi,

I'm trying to get a basic OSPF conneciton with a Nokia firewall and it's not getting passed the EXCHANGE state.

I've read around the issues with other vendor devices and tried turing off LLS using the 'ip ospf lls disable' command -and I've tried the 'ip ospf mtu-ignore' but still no joy, the neighbor state never gets passed the EXCHANGE state.

It seems as soon as the conversation gets passed the DOWN, INIT, EXSTART states (which I believe are all multicast) the two decices are unable to exhcange their DBD's.

Initially, the firewall guys weren't permitting multicast so we weren't getting anything. They managed to fix this so now we get further up the chain but still no FULL neighbor relationship.

My OSPF config is very basic as follows:

interface GigabitEthernet0/1

ip address x.x.x.x

ip ospf cost 1

duplex auto

speed auto

media-type rj45

router ospf 9001

log-adjacency-changes

network x.0.0.0 mask 0.0.0.255 area 0

so I think this may be a Firewall issue but just wondered if anyone had come across this issue with Nokia's.?

The Nokia devices are IP560's... running IPSO 4.1-BUILD016 and Firewall-1 NGX R62

Thanks in advance

John

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Danilo Dy Wed, 01/30/2008 - 04:54

Hi,

Check the firewall logs.

To make the OSPF works, beside configuring OSPF in IPSO Voyager, you need to allow the following.

Section Title:

- OSPF Rule!

Rule #:

- 1 (or before the STEALTH Rule if you have)

Source/Destination:

- Router Interface IP address connected to Nokia

- Router OSPF ID (optional but put it there anyway)

- Nokia Interface IP address connected to Router (preferably Nokia Gateway Object as this will select the IP address automatically)

- Nokia OSPF ID (optional but put it there anyway)

- OSPF IGP DR MCAST NET (224.0.0.6)

- OSPF IGP MCAST NET (224.0.0.5)

VPN:

- Any

Service:

- OSPF (IP Protocol 89)

- ICMP Echo Request (Type 8)

Action:

- Accept

Track:

- Log

Install On:

- Policy Targets (Nokia Gateway)

Time:

- Any

...install the policy!

Take note also of Topology. Check spoofing in the logs.

For Clustered setup, include the Cluster Object and Node Objects.

Regards,

Dandy

cpubob Wed, 01/30/2008 - 07:25

I have not done this in the past 2 years but I did setup a network a while back with IP330/440's running ospf with the rest of the network and it worked without issue. The question is weather its the firewall stopping it or ipso not playing well with regard to ospf.

I would try unloading the firewall module and see if ospf works when checkpoint is taken out of the equation. fw unload local (or whatever the current command is, my checkpoint cli is rusty) would unload the firewall module. If it works without the firewall, you've got a rules issues, if still not working, ospf on ipso isn't working right.

GL

-Rob

john.pepper Fri, 03/07/2008 - 02:17

Hi all and thanks for the helpful replies.

Just trying to be a good citizen here and let anyone who's interested know this issue is resolved and was a problem with the virtual address configuration on the Nokia's.

If you get the same problem get your firewall guy to look in that area or log a call with their TAC. It's not a Cisco routing issue.

Thanks

John

Actions

This Discussion