×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

OSPF on PIX

Unanswered Question
Jun 1st, 2006
User Badges:

We are running OSPF; we have PIX 525 protecting our server farm. OSPF process is running fine on PIX. PIX have established adjacencies with switches and routers on the same segment and show full neighbor relationships with all devices.


The problem is PIX is showing all the subnets in OSPF database received from other network devices, but no other network device is showing the IP subnets of server farms.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vladrac-ccna Fri, 06/02/2006 - 04:30
User Badges:
  • Silver, 250 points or more

hello,


So, I understand you have a advertisement issue from your PIX to the rest of your network.


There are many factors that could be causing issues as this. And it really depends on your settings.


How are you advertising this routes? Are you using network ? or redistributing (connected or static)? Are you a Border-Router?


Is there any kind of routing filters? distribute-list, route-maps?

Quoting:"

OSPF Neighbor Is Not Advertising Routes

The most common possible causes of this problem are as follows:

OSPF is not enabled on the interface that is supposed to be advertised.

The advertising interface is down.

The secondary interface is in a different area than the primary interface.


OSPF Neighbor (ABR) Not Advertising the Summary Route

The most common possible causes of this problem are as follows:

An area is configured as a totally stubby area.

An ABR is not connected to area 0.

A discontiguous area 0 exists.


OSPF Neighbor Is Not Advertising External Routes

The most common possible causes of this problem are as follows:

The area is configured as a stub or NSSA.

The NSSA ABR is not translating Type 7 into Type 5 LSA."



So,please give us more details of your network.


Hope this help,

if it does please rate this post,

Vlad

umar-rana Sun, 06/04/2006 - 21:55
User Badges:

All Interfaces belongs to same area, the advertising interface is outside, it cannot be down because all traffic is going through. I am also attaching the config of PIX for your review.


These both networks are directly connected to the PIX on layer2.


router ospf 1

network 172.16.1.0 255.255.255.0 area 101

network 172.16.3.0 255.255.255.0 area 101

network 172.16.103.0 255.255.255.0 area 101

network 172.16.104.0 255.255.255.0 area 101

router-id 192.168.255.84

log-adj-changes

mahmoodmkl Sun, 06/04/2006 - 22:54
User Badges:
  • Gold, 750 points or more

HI


I think its a security issue with the function of ASA.As u r outside interface has the lower security level then the inside interface.so for this to function i think u need to open the conduit to allow the traffic to come inside from a lower security interface to higher security interface.


Thanks

Mahmood

umar-rana Sun, 06/04/2006 - 23:28
User Badges:

no Mahmood, because PIX is getting all the external routes and the neighbors are established, it is not sending internal network out to other OSPF devices. All other traffic is fine.


See the show ospf nei output.


Neighbor ID Pri State Dead Time Address Interface

192.168.255.83 1 FULL/BDR 0:00:35 172.16.103.249 outside

192.168.255.82 1 FULL/DR 0:00:34 172.16.103.250 outside

Fernando_Meza Sun, 06/04/2006 - 23:04
User Badges:
  • Gold, 750 points or more

can you please post the output of sh run | inc address


umar-rana Sun, 06/04/2006 - 23:24
User Badges:

Please also note that other devices in the same area are showing PIX in there neighbor list and PIX is also showing them in its neighbor list.


Output of show run | inc adder


ip address ccsrv 172.16.1.252 255.255.255.0

ip address intf2 172.16.104.252 255.255.255.0

ip address inside 172.16.3.252 255.255.255.0

ip address outside 172.16.103.252 255.255.255.0

failover ip address ccsrv 172.16.1.251

failover ip address intf2 172.16.104.251

failover ip address inside 172.16.3.251

failover ip address outside 172.16.103.251

Actions

This Discussion