OSPF hello and dead timer

Unanswered Question
Sep 10th, 2008
User Badges:

I have one cluster of Juniper firewalls in an OSPF routing domain with Cisco routers. A few weeks ago we put an inline Sourcefire IPS between the firewalls and the routers, and lately we see OSPF neighbor marked down on the firewalls, because of hello timeouts.

Our timers are 2 seconds for hello and 6 seconds for dead interval. My question is, are these timers too low ? Has anybody experienced issues with OSPF with these kind of timers?

Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
akbindal Wed, 09/10/2008 - 07:17
User Badges:

Hi,


As we have put IPS in Inline mode there can be 2 possibilities here :


1. Check the signatures and rules on the IPS whether it is allowing the OSPF hello packets to pass through in first place in between the Juniper Firewalls and the Cisco Routers..


2. Also, IPS devices are known to have latency through them..try increasing the OSPF timers to probably the default values on the Broadcast LAN interface and observe again..


As such there is no known issue with lower timer values in OSPF..


You can also try taking debug ip ospf outputs to check whether hello packets are actually received at either ends or at cisco routers end..


HTH


Akhil


Actions

This Discussion