×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

OSPF between a Cisco Router and a Checkpoint

Unanswered Question
Oct 11th, 2006
User Badges:

I am trying to establish OSPF between two Cisco routers and an HA configured pair of Checkpoint firewalls the reside on the same LAN segment. The two routers form a good adjacency, but the routers will not form an adjacency to the Checkpoints. The neighbor status shows exstart/drother, then go down, then back to exstart/drother. We have verified the MTU sizes and hello, dead, wait and retransmit times are the same. I am showing sent and received packets from the Checkpoints. Has anyone had this issue?


Thanks,

Jack

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
leonvd79 Wed, 10/11/2006 - 22:30
User Badges:
  • Silver, 250 points or more

Hello Jack,


Since the router is stuck in exstart stage, I suspect MTU.


However the MTU of both systems match, I have seen adjacencies between Cisco switches and routers fail because of this.


Try thee ip ospf ignore-mtu interface command, and see what happens.


Also try to disable link-local signalling between non-cisco devices with the ip ospf lls disable interface command. This is recommended in case the device is not in compliance with RFC 2328.


HTH


--Leon


* Please rate ALL posts.

Harold Ritter Thu, 10/12/2006 - 03:24
User Badges:
  • Cisco Employee,

The Checkpoint FW probably doesn't support local link signaling (LLS), which is used for the support of NSF. Generally speaking, they should just ignore the extraneous information if they don't support it.


Fortunately, the following knob has been added to disable LLS on the IOS side to interoperate with other vendors not supporting LLS:


router ospf x

no capability lls


Hope this helps,

kendallp Tue, 10/24/2006 - 18:43
User Badges:

Set the checkpoints ospf to priority 0. I have checkpoint on nokia platform and they are configured to never ever ever be the designated router. Let the routers be the designated router and life is much better.

jfarrer Tue, 11/14/2006 - 11:13
User Badges:

Working with the Checkpoint vendor, we found the issue. It was a firewall policy that was not allowing packets from the routers through to the firewalls. Following the CheckPoint documentation, the policy was only allowing the multicast addresses, not the specific router IP addresses.

Actions

This Discussion