OSPF fails in EXSTART to Nokia from Cisco3750

Unanswered Question
Jul 9th, 2009
User Badges:

Hi There,


We are having issues getting OSPF up between a Nokia and a Cisco 3750. Basically stuck in EXSTART mode (see attachment).


NOKIA Interface is a Logical Interface (vlan) and OSPF MTU is 1500 same as on Cisco 3750.Firewall rule created to allow OSPF and multicast etc.


Any ideas ?


Thanks in advance.




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
John Blakley Thu, 07/09/2009 - 06:03
User Badges:
  • Purple, 4500 points or more

What type of firewall do you have? Can you allow, for testing, all traffic (not just ospf and multicast) from the 10.0.0.1 to 10.0.0.2?


HTH,

John

Jim Bell Thu, 07/09/2009 - 06:23
User Badges:

Hi John,


FW is CP NGX R65 - not able to allow for any traffic at moment.


Harold Ritter Thu, 07/09/2009 - 08:28
User Badges:
  • Cisco Employee,

Jim,


Can you try configuring "no capability lls" under the ospf process. I have seen this as an issue with Nokia interoperability in the past. The Nokia should just ignore the lls information but it doesn't in certain level of code.


Just for your information LLS is used for graceful restart and is defined by RFC4813.


http://tools.ietf.org/html/rfc4813


Regards

Jim Bell Thu, 07/09/2009 - 23:29
User Badges:

Harold,


We tried that on the 3750 without success.


Jim.

Giuseppe Larosa Fri, 07/10/2009 - 01:37
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Jim,

from the log you have provided we see:


Jul 9 07:49:29.089: OSPF: Retransmitting DBD to 10.0.0.1 on vlan222 [1]

Jul 9 07:49:29.106: OSPF: Rcv DBD from 10.0.0.1 on vlan222 seq 0x4A559AE1 opt 0x2 flag 0x7 len 32 mtu 1500 state EXSTART

Jul 9 07:49:29.106: OSPF: First DBD and we are not SLAVE


it looks like the C3750 is disappointed of receiving a DBD from other side when it thinks to be the master in the exstart communication.


It is the master that should start to talk according to RFC2328 it looks like they don't agree on master role.


Hope to help

Giuseppe


Jim Bell Fri, 07/10/2009 - 02:24
User Badges:

Hi Guiseppe,


Thanks for the reply - it may well be an Ospf compatability issue. Found the following for our version of IPSO 4.2


IPSO 4.2

Table 33 Global Settings for OSPF Parameter Description

RFC1583 Compatibility This implementation of OSPF is based on RFC2178, which fixed some looping problems in an earlier specification of OSPF. If your implementation is running in an environment with OSPF implementations based on RFC1583 or earlier, enable RFC 1583 compatibility to ensure backwards compatibility.


We did try with RFC1583 compatabilty set on both ASA and Nokia with same results.


Jim.


Jim Bell Wed, 07/15/2009 - 09:07
User Badges:

Update - Issue now resolved.


Network capture indicated OSPF DBD packets were being delivered to the firewall interface, but no indication of this in the FW logs.


A FW stealth rule was silently dropping (& not logging) OSPF DBD packets directed to FW interface. OSPF rules moved to before stealth rule and all now working.


Thanks


Giuseppe Larosa Wed, 07/15/2009 - 11:39
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Jim,

you have been kind to provide the happy end of this story.


This makes this thread complete and useful.


Best Regards

Giuseppe


cisco24x7 Wed, 07/15/2009 - 12:24
User Badges:
  • Silver, 250 points or more

You can detect this problem using these methods:


1- Run tcpdump on the Nokia and look for proto 69.


2- run checkpoint "fw monitor" and you can see if the packet being dropped.

Actions

This Discussion