OSPF Issue

Hi,

Are you always impacting by this issue ?

I think I got the same issue, and in my T-Shoot, I see with "route -n" in "advanced shell" all the routes learned by OSPF in the 2 XG at each side of my RED Tunnel in their Kernel routing table, but without Gateway IP specified..

If I put static routes in configuration, all those routes are specified with a gateway in the Kernel routing table, and trafic is working.

Do you meet the same mistake ?

Thanks for your feedback.

Emeric.

Hi,

Are you always impacting by this issue ?

I think I got the same issue, and in my T-Shoot, I see with "route -n" in "advanced shell" all the routes learned by OSPF in the 2 XG at each side of my RED Tunnel in their Kernel routing table, but without Gateway IP specified..

If I put static routes in configuration, all those routes are specified with a gateway in the Kernel routing table, and trafic is working.

Do you meet the same mistake ?

Thanks for your feedback.

Emeric.

https://community.sophos.com/kb/en-us/125003

The default OSPF route is shown in its routing table so it is restricted to be added to the kernel routing table. If admin wants to add the default OSPF route to the kernel, he has to manually enable it from the CLI using the following custom commands.

Hi !

Thanks for your answer, but my real issue is not a bad OSPF configuration, but an incomplete use of informations learned through OSPF in the jernel routing tables.

The routes are learned as needed, but the Kernel doesn't install their gateways.

If I add static routes, the gateway parameters appear on the Kernel Routing Table, and all work...

On the "branch" XG : 

XG125_XN03_SFOS 17.5.9 MR-9# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 0.0.0.0 0.0.0.0 U 1 0 0 reds1
10.0.10.0 0.0.0.0 255.255.255.0 U 0 0 0 Prod.190
10.199.90.250 10.0.10.254 255.255.255.255 UGH 0 0 0 Prod.190
10.250.10.0 0.0.0.0 255.255.255.0 U 0 0 0 Prod.110
10.250.20.0 0.0.0.0 255.255.255.0 U 0 0 0 Prod.120
10.250.30.0 0.0.0.0 255.255.255.0 U 0 0 0 Prod
10.250.50.0 0.0.0.0 255.255.255.0 U 0 0 0 Prod.150
10.250.60.0 0.0.0.0 255.255.255.0 U 0 0 0 Prod.160
10.250.255.0 0.0.0.0 255.255.255.252 U 0 0 0 reds1
10.250.255.4 0.0.0.0 255.255.255.252 U 0 0 0 reds2
176.57.243.54 192.168.1.1 255.255.255.255 UGH 0 0 0 Prod.1000
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 Prod.1000

ospf# show running-config

Current configuration:
!
hostname ospf
log stdout
!
!
!
interface Port1
!
interface Port2
!
interface Port3
!
interface Port4
!
interface Port5
!
interface Port6
!
interface Port7
!
interface Port8
!
interface Port9
!
interface Prod
!
interface Prod.110
!
interface Prod.120
!
interface Prod.150
!
interface Prod.160
!
interface Prod.190
!
interface Prod.191
!
interface Prod.1000
!
interface WWAN1
!
interface gre0
!
interface gretap0
!
interface imq0
!
interface imq1
!
interface ip6tnl0
!
interface ipsec0
!
interface lo
!
interface ppp0
!
interface reds1
ip ospf network point-to-point
ip ospf cost 1
!
interface reds2
ip ospf network point-to-point
ip ospf cost 10
!
interface sit0
!
router ospf
ospf router-id 1.1.1.250
ospf push-default-route-to-kernel
redistribute connected
network 10.250.255.0/30 area 0.0.250.1
network 10.250.255.4/30 area 0.0.250.2
distribute-list OSPF_Filter_Out out connected
!
access-list OSPF_Filter_Out permit 10.250.0.0/16
!
line vty
no login
!
end

ospf# sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
1.1.1.199 255 Full/DROther 35.695s 10.250.255.2 reds1:10.250.255.1 0 0 0
1.1.1.199 255 Full/DROther 35.679s 10.250.255.6 reds2:10.250.255.5 0 0 0

ospf# sh ip ospf database

OSPF Router with ID (1.1.1.250)

Router Link States (Area 0.0.250.1)

Link ID ADV Router Age Seq# CkSum Link count
1.1.1.199 1.1.1.199 167 0x8000000a 0xc7d3 2
1.1.1.250 1.1.1.250 142 0x8000000a 0x86e2 2

Router Link States (Area 0.0.250.2)

Link ID ADV Router Age Seq# CkSum Link count
1.1.1.199 1.1.1.199 1178 0x80000009 0x0c76 2
1.1.1.250 1.1.1.250 1082 0x8000000a 0xc886 2

AS External Link States

Link ID ADV Router Age Seq# CkSum Route
0.0.0.0 1.1.1.199 1168 0x8000008e 0x0b6e E2 0.0.0.0/0 [0x0]
10.250.10.0 1.1.1.250 192 0x8000000a 0xeabd E2 10.250.10.0/24 [0x0]
10.250.20.0 1.1.1.250 142 0x8000000a 0x7c22 E2 10.250.20.0/24 [0x0]
10.250.30.0 1.1.1.250 122 0x8000000a 0x0e86 E2 10.250.30.0/24 [0x0]
10.250.50.0 1.1.1.250 242 0x8000000a 0x314f E2 10.250.50.0/24 [0x0]
10.250.60.0 1.1.1.250 152 0x8000000a 0xc2b3 E2 10.250.60.0/24 [0x0]

ospf# sh ip ospf border-routers
============ OSPF router routing table =============
R 1.1.1.199 [1] area: 0.0.250.1, ASBR
directly attached to reds1
[10] area: 0.0.250.2, ASBR
directly attached to reds2

ospf# sh ip ospf route
============ OSPF network routing table ============
N 10.250.255.0/30 [1] area: 0.0.250.1
directly attached to reds1
N 10.250.255.4/30 [10] area: 0.0.250.2
directly attached to reds2

============ OSPF router routing table =============
R 1.1.1.199 [1] area: 0.0.250.1, ASBR
directly attached to reds1
[10] area: 0.0.250.2, ASBR
directly attached to reds2

============ OSPF external routing table ===========
N E2 0.0.0.0/0 [1/1] tag: 0 directly attached to reds1

I have added the distribute-list to avoid the exchange of WAN link between UTM.

The issue was already present before implement this list.

On the "core" XG :

XG450_WP02_SFOS 17.5.9 MR-9# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
1.1.1.0 0.0.0.0 255.255.255.252 U 0 0 0 Port8
10.0.0.0 10.199.90.254 255.0.0.0 UG 0 0 0 PROD.190
10.10.200.0 0.0.0.0 255.255.255.0 U 0 0 0 PROD.141
10.199.40.0 0.0.0.0 255.255.255.0 U 0 0 0 PROD
10.199.50.0 0.0.0.0 255.255.255.0 U 0 0 0 PROD.150
10.199.80.0 0.0.0.0 255.255.255.0 U 0 0 0 PROD.180
10.199.81.0 0.0.0.0 255.255.255.0 U 0 0 0 PROD.181
10.199.90.0 0.0.0.0 255.255.255.0 U 0 0 0 PROD.190
10.199.250.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
10.250.10.0 0.0.0.0 255.255.255.0 U 20 0 0 reds1
10.250.20.0 0.0.0.0 255.255.255.0 U 20 0 0 reds1
10.250.30.0 0.0.0.0 255.255.255.0 U 20 0 0 reds1
10.250.50.0 0.0.0.0 255.255.255.0 U 20 0 0 reds1
10.250.60.0 0.0.0.0 255.255.255.0 U 20 0 0 reds1
10.250.255.0 0.0.0.0 255.255.255.252 U 0 0 0 reds1
10.250.255.4 0.0.0.0 255.255.255.252 U 0 0 0 reds2
172.16.0.0 10.199.90.254 255.240.0.0 UG 0 0 0 PROD.190
176.57.243.48 0.0.0.0 255.255.255.248 U 0 0 0 PROD.1000
192.168.0.0 10.199.90.254 255.255.0.0 UG 0 0 0 PROD.190
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 PROD.10
192.168.20.0 192.168.10.1 255.255.255.0 UG 0 0 0 PROD.10
192.168.28.0 176.57.243.49 255.255.255.0 UG 0 0 0 PROD.1000
192.168.119.0 176.57.243.49 255.255.255.0 UG 0 0 0 PROD.1000
192.168.120.0 176.57.243.49 255.255.255.0 UG 0 0 0 PROD.1000
192.168.128.0 176.57.243.49 255.255.255.0 UG 0 0 0 PROD.1000
192.168.129.0 176.57.243.49 255.255.255.0 UG 0 0 0 PROD.1000
192.168.134.0 176.57.243.49 255.255.255.0 UG 0 0 0 PROD.1000
192.168.136.0 176.57.243.49 255.255.255.0 UG 0 0 0 PROD.1000
192.168.142.0 176.57.243.49 255.255.255.0 UG 0 0 0 PROD.1000
192.168.149.0 176.57.243.49 255.255.255.0 UG 0 0 0 PROD.1000
192.168.152.0 176.57.243.49 255.255.255.0 UG 0 0 0 PROD.1000
192.168.156.0 176.57.243.49 255.255.255.0 UG 0 0 0 PROD.1000
192.168.163.0 176.57.243.49 255.255.255.0 UG 0 0 0 PROD.1000
192.168.202.0 176.57.243.49 255.255.255.0 UG 0 0 0 PROD.1000
192.168.205.0 176.57.243.49 255.255.255.0 UG 0 0 0 PROD.1000

ospf# show running-config

Current configuration:
!
hostname ospf
log stdout
!
!
!
interface PROD
!
interface PROD.10
!
interface PROD.141
!
interface PROD.142
!
interface PROD.150
!
interface PROD.180
!
interface PROD.181
!
interface PROD.190
!
interface PROD.1000
!
interface Port1
!
interface Port2
!
interface Port3
!
interface Port4
!
interface Port5
!
interface Port6
!
interface Port7
!
interface Port8
!
interface Port9
!
interface Port10
!
interface gre0
!
interface gretap0
!
interface imq0
!
interface imq1
!
interface ip6tnl0
!
interface ipsec0
!
interface lo
!
interface reds1
ip ospf network point-to-point
ip ospf cost 1
ip ospf priority 255
!
interface reds2
ip ospf network point-to-point
ip ospf cost 10
ip ospf priority 255
!
interface sit0
!
interface tun0
!
router ospf
ospf router-id 1.1.1.199
network 10.250.255.0/30 area 0.0.250.1
network 10.250.255.4/30 area 0.0.250.2
default-information originate always
!
line vty
no login
!
end

ospf# sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
1.1.1.250 1 Full/DROther 38.232s 10.250.255.1 reds1:10.250.255.2 0 0 0
1.1.1.250 1 Full/DROther 36.032s 10.250.255.5 reds2:10.250.255.6 0 0 0

ospf# sh ip ospf database

OSPF Router with ID (1.1.1.199)

Router Link States (Area 0.0.0.250)

Link ID ADV Router Age Seq# CkSum Link count
1.1.1.199 1.1.1.199 188 0x800000b1 0x6baf 0

Router Link States (Area 0.0.250.1)

Link ID ADV Router Age Seq# CkSum Link count
1.1.1.199 1.1.1.199 258 0x8000000a 0xc7d3 2
1.1.1.250 1.1.1.250 234 0x8000000a 0x86e2 2

Router Link States (Area 0.0.250.2)

Link ID ADV Router Age Seq# CkSum Link count
1.1.1.199 1.1.1.199 1268 0x80000009 0x0c76 2
1.1.1.250 1.1.1.250 1175 0x8000000a 0xc886 2

AS External Link States

Link ID ADV Router Age Seq# CkSum Route
0.0.0.0 1.1.1.199 1258 0x8000008e 0x0b6e E2 0.0.0.0/0 [0x0]
10.250.10.0 1.1.1.250 284 0x8000000a 0xeabd E2 10.250.10.0/24 [0x0]
10.250.20.0 1.1.1.250 234 0x8000000a 0x7c22 E2 10.250.20.0/24 [0x0]
10.250.30.0 1.1.1.250 214 0x8000000a 0x0e86 E2 10.250.30.0/24 [0x0]
10.250.50.0 1.1.1.250 334 0x8000000a 0x314f E2 10.250.50.0/24 [0x0]
10.250.60.0 1.1.1.250 244 0x8000000a 0xc2b3 E2 10.250.60.0/24 [0x0]

ospf# sh ip ospf route
============ OSPF network routing table ============
N 10.250.255.0/30 [1] area: 0.0.250.1
directly attached to reds1
N 10.250.255.4/30 [10] area: 0.0.250.2
directly attached to reds2

============ OSPF router routing table =============
R 1.1.1.250 [1] area: 0.0.250.1, ASBR
directly attached to reds1
[10] area: 0.0.250.2, ASBR
directly attached to reds2

============ OSPF external routing table ===========
N E2 10.250.10.0/24 [1/20] tag: 0
directly attached to reds1
N E2 10.250.20.0/24 [1/20] tag: 0
directly attached to reds1
N E2 10.250.30.0/24 [1/20] tag: 0
directly attached to reds1
N E2 10.250.50.0/24 [1/20] tag: 0
directly attached to reds1
N E2 10.250.60.0/24 [1/20] tag: 0
directly attached to reds1

Regards, Emeric.

The routes are published as Interface routes, not Gateway routes.

So i do not see in issue here? If you put a ip r g on XG HQ, it should show, that it can reach the Network behind reds1, which is correct, isnt it?

Hi Toni,

Here the requested output from DC :

XG450_WP02_SFOS 17.5.9 MR-9# ip r g 10.250.10.0

10.250.10.0 dev reds1 src 10.250.255.2
cache

10.250.255.2 is the IP address of the unique active RED Interface on the Branch XG, it means its correct.

But, in fact, I'm really impacted by a network issue :

- If I stay with OPSF, I cannot see trafic in my RED Tunnel during packet capture (except OSPF process), and real trafic doesn't work,

- As I set static routes at each side of the RED Tunnel, I see all the trafic flow captured on this same RED Tunnel, and all is working.

And when I set static routes, contrary with OSPF, the next hop appears on the gateway field of the "route -n" output. That's why I thought it was a result...

For your information, I have opened a case with Support, #9574508 (configs and networks diagrams provided).

Regards, Emeric.

What is your route precedence? 

https://community.sophos.com/kb/en-us/123610

console> system route_precedence show
Default routing Precedence:
1. Policy routes
2. VPN routes
3. Static routes