Solved: NAT issue - OSPF Stuck in EXSTART/BDR

sean-wilkinson · ‎11-30-2013

Hi All,

I am hoping someone can help me with this problem because I am stumped.

I have two routers, R1 which is a 2821 and R2 which is a 1841 in a router on a stick configuration.

I am trying to setup OSPF between the routers but both routers are stuck with the neighbor status EXSTART/BDR.

I have done some research on this issue and most of the time this issue is caused by a MTU mismatch on the router interfaces.

I have checked both routers interfaces and they both using an MTU of 1500 bytes and I am not getting any MTU mismatch messages when I do a debug ip ospf adj.

Further to this I have checked for MTU issues with ping x.x.x.x df-bit size 1500 on both routers.

I have narrowed down the issue to a problem with NAT. As soon as I remove "ip nat outside" from GigabitEthernet0/1 on R1 the issue disapears and OSPF neighbor status changes from EXSTART/BDR to FULL/DR

The strangest part about all this is I was using a 2801 previously for R2 and I had no issues at all. I have even tried a few diffrent IOS versions to rule out any IOS bugs.

R1 Config

interface GigabitEthernet0/1

ip address 10.60.133.1 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

end

interface Vlan1

ip address 10.180.1.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip nat inside source route-map INTERNET interface GigabitEthernet0/0 overload

ip nat inside source route-map LAB interface GigabitEthernet0/1 overload

access-list 1 permit 10.0.0.0 0.255.255.255

route-map INTERNET permit 10

match ip address 1

match interface GigabitEthernet0/0

route-map LAB permit 10

match ip address 1

match interface GigabitEthernet0/1

router ospf 1

passive-interface default

no passive-interface GigabitEthernet0/1

no passive-interface Vlan1

network 10.60.133.1 0.0.0.0 area 0

network 10.180.1.254 0.0.0.0 area 0

R2 Config

interface FastEthernet0/1.101

encapsulation dot1Q 101

ip address 10.60.133.6 255.255.255.248

end

router ospf 1

log-adjacency-changes

summary-address 10.48.0.0 255.240.0.0

redistribute bgp 65133 subnets

passive-interface default

no passive-interface FastEthernet0/1.101

network 10.60.133.6 0.0.0.0 area 0

Rolf Fischer · ‎12-01-2013

Jon,

the IP address of R1's OSPF source interface is 10.60.133.1, so I think this one should be denied in ACL 1:

access-list 1 deny host 10.60.133.1

access-list 1 permit 10.0.0.0 0.255.255.255

Best regards

Rolf

View solution in original post

Jon Marshall · ‎12-01-2013

Edit -

Sorry i'm having one of those days

Can you post full router config of R1 ?

Jon

Jon Marshall · ‎12-01-2013

Sean

Can you try this -

access-list 1 deny 10.60.133.6 0.0.0.0

access-list 1 permit 10.0.0.0 0.255.255.255

Jon

Rolf Fischer · ‎12-01-2013

Jon,

the IP address of R1's OSPF source interface is 10.60.133.1, so I think this one should be denied in ACL 1:

access-list 1 deny host 10.60.133.1

access-list 1 permit 10.0.0.0 0.255.255.255

Best regards

Rolf

Jon Marshall · ‎12-01-2013

Rolf

That's what i originally suggested (before i edited the post). But i think the NAT is affecting the return traffic and not the outgoing traffic.

But i could well be wrong

Jon

sean-wilkinson · ‎12-01-2013

Thank you Jon and Rolf,

Modifying R1's access list 1 fixed the issue

access-list 1 deny host 10.60.133.1

access-list 1 permit 10.0.0.0 0.255.255.255

or

access-list 1 permit 10.180.1.0 0.0.0.255

I didn't think traffic from or to the router would be effected by NAT

Good learning experience for me

Sean

Jon Marshall · ‎12-02-2013

Sean / Rolf

I should have stuck with my original acl

I didn't think traffic from or to the router would be effected by NAT

I didn't either to be honest and i'm still not sure exactly what the router is doing in this case.

Jon

Rolf Fischer · ‎12-02-2013

Sean and Jon,

I didn't think traffic from or to the router would be effected by NAT

They have been showing that very special scenario in the Cisco Live presentation "BRKRST-3310 - Troubleshooting OSPF" for a couple of years now, otherwise I wouldn't either have known it.

A debug in a simple gns3 lab produced some interesting output:

Dec 2 15:46:00.379: OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet0/0 from 10.60.133.1

Dec 2 15:46:00.379: NAT: map match INTERNET

Dec 2 15:46:00.379: NAT: translation failed (F), dropping packet s=10.60.133.1 d=224.0.0.5

Dec 2 15:45:45.595: OSPF: Rcv hello from 2.2.2.2 area 0 from FastEthernet0/0 10.60.133.6

Dec 2 15:45:45.599: OSPF: Send immediate hello to nbr 2.2.2.2, src address 10.60.133.6, on FastEthernet0/0

Dec 2 15:45:45.599: OSPF: Send hello to 10.60.133.6 area 0 on FastEthernet0/0 from 10.60.133.1

Dec 2 15:45:45.603: NAT: map match INTERNET

Dec 2 15:45:45.603: NAT: translation failed (E), dropping packet s=10.60.133.1 d=10.60.133.6

NAT error code (E) stands for "Inside to outside fails after routing", unfortunately I couldn't find out what (F) means. Probably it's something about the multicast destination address.

Thanks for the feedback,

best regards

Rolf

Jon Marshall · ‎12-02-2013

Rolf

This is why i am confused -

NAT error code (E) stands for "Inside to outside fails after routing",

but the packet isn't coming from the inside interface, it's being sourced from the outside interface.

I thought NAT worked in that a packet arrives on the inside interface, matches the "ip nat inside" and the acl defining what traffic to NAT and then gets translated when it leaves the outside interface (with "ip nat outside"). In this case the packet being sourced by the router only leaves the outside interface so i cant see how NAT gets involved.

Any thoughts/explanations ?

Jon