Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1245
Views
0
Helpful
3
Replies

OSPF to Nokia Firewall

john.pepper
Level 1
Level 1

‎01-30-2008 02:45 AM - edited ‎03-03-2019 08:29 PM

Hi,

I'm trying to get a basic OSPF conneciton with a Nokia firewall and it's not getting passed the EXCHANGE state.

I've read around the issues with other vendor devices and tried turing off LLS using the 'ip ospf lls disable' command -and I've tried the 'ip ospf mtu-ignore' but still no joy, the neighbor state never gets passed the EXCHANGE state.

It seems as soon as the conversation gets passed the DOWN, INIT, EXSTART states (which I believe are all multicast) the two decices are unable to exhcange their DBD's.

Initially, the firewall guys weren't permitting multicast so we weren't getting anything. They managed to fix this so now we get further up the chain but still no FULL neighbor relationship.

My OSPF config is very basic as follows:

interface GigabitEthernet0/1

ip address x.x.x.x

ip ospf cost 1

duplex auto

speed auto

media-type rj45

router ospf 9001

log-adjacency-changes

network x.0.0.0 mask 0.0.0.255 area 0

so I think this may be a Firewall issue but just wondered if anyone had come across this issue with Nokia's.?

The Nokia devices are IP560's... running IPSO 4.1-BUILD016 and Firewall-1 NGX R62

Thanks in advance

John

Labels:
0 Helpful
3 Replies 3

Danilo Dy
VIP Alumni
VIP Alumni

‎01-30-2008 04:54 AM

Hi,

Check the firewall logs.

To make the OSPF works, beside configuring OSPF in IPSO Voyager, you need to allow the following.

Section Title:

- OSPF Rule!

Rule #:

- 1 (or before the STEALTH Rule if you have)

Source/Destination:

- Router Interface IP address connected to Nokia

- Router OSPF ID (optional but put it there anyway)

- Nokia Interface IP address connected to Router (preferably Nokia Gateway Object as this will select the IP address automatically)

- Nokia OSPF ID (optional but put it there anyway)

- OSPF IGP DR MCAST NET (224.0.0.6)

- OSPF IGP MCAST NET (224.0.0.5)

VPN:

- Any

Service:

- OSPF (IP Protocol 89)

- ICMP Echo Request (Type 8)

Action:

- Accept

Track:

- Log

Install On:

- Policy Targets (Nokia Gateway)

Time:

- Any

...install the policy!

Take note also of Topology. Check spoofing in the logs.

For Clustered setup, include the Cluster Object and Node Objects.

Regards,

Dandy

0 Helpful

cpubob
Level 1
Level 1

‎01-30-2008 07:25 AM

I have not done this in the past 2 years but I did setup a network a while back with IP330/440's running ospf with the rest of the network and it worked without issue. The question is weather its the firewall stopping it or ipso not playing well with regard to ospf.

I would try unloading the firewall module and see if ospf works when checkpoint is taken out of the equation. fw unload local (or whatever the current command is, my checkpoint cli is rusty) would unload the firewall module. If it works without the firewall, you've got a rules issues, if still not working, ospf on ipso isn't working right.

GL

-Rob

0 Helpful

john.pepper
Level 1
Level 1
In response to cpubob

‎03-07-2008 02:17 AM

Hi all and thanks for the helpful replies.

Just trying to be a good citizen here and let anyone who's interested know this issue is resolved and was a problem with the virtual address configuration on the Nokia's.

If you get the same problem get your firewall guy to look in that area or log a call with their TAC. It's not a Cisco routing issue.

Thanks

John

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card