OSPF Neighbor in Exchange/ state

GRANT3779 · ‎02-26-2014

Hi All,

I have an issue where on a point to point link (ipsec/gre tunnel) the OSPF state between the 2 routers is in Exchange and doesn't ever change.

Router A

192.168.40.1 0 EXCHANGE/ - 00:00:32 172.27.240.70 Tunnel 19

Router B

Neighbor ID Pri State Dead Time Address Interface

192.168.240.1 0 EXCHANGE/ - 00:00:31 172.27.240.69 Tunnel1

I ran a debug ip ospf events on router B and it comes back with the following.

What stands out I guess are:

Cannot see ourself in hello from 192.168.240.1 on Tunnel1, state INIT

NBR Negotiation Done. We are the SLAVE

I also have other P2P links with the sam setup (IPSEC/GRE) tunnels and they are in the FULL state.

001757: Feb 26 13:46:20.647: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10

001758: Feb 26 13:46:20.647: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70

001759: Feb 26 13:46:24.071: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69

001760: Feb 26 13:46:24.071: OSPF: End of hello processing

001761: Feb 26 13:46:30.819: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10

001762: Feb 26 13:46:30.819: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70

001763: Feb 26 13:46:34.312: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69

001764: Feb 26 13:46:34.312: OSPF: End of hello processing

001765: Feb 26 13:46:41.000: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10

001766: Feb 26 13:46:41.000: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70

001767: Feb 26 13:46:44.444: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69

001768: Feb 26 13:46:44.444: OSPF: Cannot see ourself in hello from 192.168.240.1 on Tunnel1, state INIT

001769: Feb 26 13:46:44.444: OSPF: Send immediate hello to nbr 192.168.240.1, src address 172.27.240.69, on Tunnel1

001770: Feb 26 13:46:44.444: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70

001771: Feb 26 13:46:44.444: OSPF: End of hello processing

001772: Feb 26 13:46:48.840: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

connection id=61, sequence number=1064223

001773: Feb 26 13:46:51.072: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10

001774: Feb 26 13:46:51.072: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70

001775: Feb 26 13:46:54.524: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69

001776: Feb 26 13:46:54.524: OSPF: Send immediate hello to nbr 192.168.240.1, src address 172.27.240.69, on Tunnel1

001777: Feb 26 13:46:54.524: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70

001778: Feb 26 13:46:54.524: OSPF: End of hello processing

001779: Feb 26 13:47:01.168: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10

001780: Feb 26 13:47:01.168: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70

001781: Feb 26 13:47:04.776: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69

001782: Feb 26 13:47:04.776: OSPF: Send immediate hello to nbr 192.168.240.1, src address 172.27.240.69, on Tunnel1

001783: Feb 26 13:47:04.776: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70

001784: Feb 26 13:47:04.776: OSPF: End of hello processing

001785: Feb 26 13:47:11.316: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10

001786: Feb 26 13:47:11.316: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70

001787: Feb 26 13:47:14.872: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69

001788: Feb 26 13:47:14.872: OSPF: Send immediate hello to nbr 192.168.240.1, src address 172.27.240.69, on Tunnel1

001789: Feb 26 13:47:14.872: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70

001790: Feb 26 13:47:14.872: OSPF: End of hello processing

001791: Feb 26 13:47:21.421: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10

001792: Feb 26 13:47:21.421: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70

001793: Feb 26 13:47:24.993: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69

001794: Feb 26 13:47:24.993: OSPF: Send immediate hello to nbr 192.168.240.1, src address 172.27.240.69, on Tunnel1

001795: Feb 26 13:47:24.993: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70

001796: Feb 26 13:47:24.993: OSPF: End of hello processing

001797: Feb 26 13:47:31.565: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10

001798: Feb 26 13:47:31.565: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70

001799: Feb 26 13:47:35.573: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69

001800: Feb 26 13:47:35.573: OSPF: Send immediate hello to nbr 192.168.240.1, src address 172.27.240.69, on Tunnel1

001801: Feb 26 13:47:35.573: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70

001802: Feb 26 13:47:35.573: OSPF: End of hello processing

001803: Feb 26 13:47:41.633: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10

001804: Feb 26 13:47:41.633: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70

001805: Feb 26 13:47:42.329: OSPF: Rcv DBD from 192.168.240.1 on Tunnel1 seq 0xD17 opt 0x52 flag 0x7 len 32 mtu 1400 state INIT

001806: Feb 26 13:47:42.329: OSPF: 2 Way Communication to 192.168.240.1 on Tunnel1, state 2WAY

001807: Feb 26 13:47:42.329: OSPF: Send DBD to 192.168.240.1 on Tunnel1 seq 0x107E opt 0x52 flag 0x7 len 32

001808: Feb 26 13:47:42.329: OSPF: NBR Negotiation Done. We are the SLAVE

001809: Feb 26 13:47:42.329: OSPF: Send DBD to 192.168.240.1 on Tunnel1 seq 0xD17 opt 0x52 flag 0x2 len 1052

001810: Feb 26 13:47:45.921: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69

001811: Feb 26 13:47:45.921: OSPF: End of hello processing

001812: Feb 26 13:47:48.909: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

connection id=61, sequence number=1094936

001813: Feb 26 13:47:51.833: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10

001814: Feb 26 13:47:51.833: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70

001815: Feb 26 13:47:56.025: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69

001816: Feb 26 13:47:56.025: OSPF: End of hello processing

001817: Feb 26 13:48:01.882: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10

001818: Feb 26 13:48:01.882: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70

001819: Feb 26 13:48:05.922: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69

001820: Feb 26 13:48:05.922: OSPF: End of hello processing

001821: Feb 26 13:48:12.046: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10

001822: Feb 26 13:48:12.046: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70

001823: Feb 26 13:48:16.030: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69

001824: Feb 26 13:48:16.030: OSPF: End of hello processing

001825: Feb 26 13:48:16.678: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/1: the fragment table has reached its maximum threshold 16

001826: Feb 26 13:48:22.102: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10

001827: Feb 26 13:48:22.102: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70

001828: Feb 26 13:48:26.102: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69

001829: Feb 26 13:48:26.102: OSPF: End of hello processing

001830: Feb 26 13:48:32.298: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10

001831: Feb 26 13:48:32.298: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70

001832: Feb 26 13:48:36.310: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69

001833: Feb 26 13:48:36.310: OSPF: End of hello processing

001834: Feb 26 13:48:42.506: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10

001835: Feb 26 13:48:42.506: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70

001836: Feb 26 13:48:46.379: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69

001837: Feb 26 13:48:46.379: OSPF: End of hello processing

Hitesh Vinzoda · ‎02-26-2014

Hi,

Try ip ospf ignore-mtu under the tunnel interface on both tunnel interfaces.

Also show ip ospf interface tuX output from routers shall help.

Thanks

Hitesh

GRANT3779 · ‎02-26-2014

Hi,

is the

ospf ignore-mtu command ok to use? I don't want to bring the tunnels down in any way.

See below.

From Router B

-01#show ip ospf interface tu1

Tunnel1 is up, line protocol is up

Internet Address 172.27.240.70/30, Area 18

Process ID 1, Router ID 192.168.40.1, Network Type POINT_TO_POINT, Cost: 11111

Transmit Delay is 1 sec, State POINT_TO_POINT

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

oob-resync timeout 40

Hello due in 00:00:00

Supports Link-local Signaling (LLS)

Cisco NSF helper support enabled

IETF NSF helper support enabled

Index 1/1, flood queue length 0

Next 0x0(0)/0x0(0)

Last flood scan length is 1, maximum is 22

Last flood scan time is 0 msec, maximum is 4 msec

Neighbor Count is 1, Adjacent neighbor count is 0

Suppress hello for 0 neighbor(s)

From Router A

N-01#show ip ospf interface tunnel 19

Tunnel19 is up, line protocol is up

Internet Address 172.27.240.69/30, Area 18

Process ID 1, Router ID 192.168.240.1, Network Type POINT_TO_POINT, Cost: 11111

Transmit Delay is 1 sec, State POINT_TO_POINT,

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

oob-resync timeout 40

Hello due in 00:00:09

Supports Link-local Signaling (LLS)

Index 1/9, flood queue length 0

Next 0x0(0)/0x0(0)

Last flood scan length is 1, maximum is 46

Last flood scan time is 4 msec, maximum is 220 msec

Neighbor Count is 1, Adjacent neighbor count is 0

Suppress hello for 0 neighbor(s)

Hitesh Vinzoda · ‎02-26-2014

That command is for OSPF only. Your tunnel condition to stay up is based on the endpoint reachability. The tunnel shall stay up.

also share the output for show int tuX

Thanks

Hitesh

JohnTylerPearce · ‎02-26-2014

001812: Feb 26 13:47:48.909: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

connection id=61, sequence number=1094936

You are obviously using IPSec over GRE. I agree with Hitesh. Verify you are using the same MTU value on both sides, but it looks like you are having a typical MTU issue during your Database Description Packet exchange, which is pretty common.

Although from looking at the below, it may be an IPSec issue.

001805: Feb 26 13:47:42.329: OSPF: Rcv DBD from 192.168.240.1 on Tunnel1 seq 0xD17 opt 0x52 flag 0x7 len 32 mtu 1400 state INIT

If you run a debug on the other side, do you see 1400 as well?

GRANT3779 · ‎02-26-2014

Hi There,

On looking at the Tunnel configs of each router I could see the only difference was one had

ip virtual-reassembly max-reassemblies 64

The other didn't.

I removed this and the full adjacency came up!

Cheers

JohnTylerPearce · ‎02-26-2014

Grant,

Virtual Reassembly is special IOS feature that allows the router to obtain full picture of a fragmented packet on the fly. When you activate virtual-reassembly on interface, using the command

ip virtual-reassembly

, IOS starts tracking all incoming fragmented packets. The code

delays fragmented packets until it receives all of them, or until the maximum reassembly timeout expires (there are some other thresholds, discussed below). After this, the router performs “virtual” datagram reassembly. Here “virtual” means the packet is not getting actually assembled into a single entity, but rather IOS views it as a whole for subsequent processing. If the router does not receive all fragments during the reassembly timeout, the incomplete packet is dropped.

There's a good defintiion if you are interesting. Glad you got it working!