This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OSPF loses connection if "redistribute route" is enabled

Hello everyone,

I have two Sophos XG appliances up and running for a couple of years.

Both appliances are using a RED tunnel to connect to each other and routing is done via OSPF.

Currently I have added all local subnets to the "network & area" section which works so far without any issues.

During Christmas I played a bit around and had a look "Redistribute connected" which makes sense so I can clean up the network/area section.

Unfortunately if I tick that checkbox and remove all the routes I can ping the other router for 30, 40 secondes - then I have around 10 seconds of no connection and then it repeats.

Can someone guide me what I did wrong?

This thread was automatically locked due to age.

Top Replies

LuCar Toni over 2 years ago in reply to Mathias Mühlbacher +1 verified

The issue could be related to the fact, that RED is "always online" (the interface at least). So the OSPF cannot differance between a hardware interface and red interfaces. And the route will be pushed…

Parents

0 Mathias Mühlbacher over 2 years ago

Okay it seems that the RED connection goes down - but not the OSPF routing?!

Strange..
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 2 years ago in reply to Mathias Mühlbacher

Is the OSPF connected via a static route? So does XG1 know the neighbor via static route? Maybe the RED tunnel cannot keep up.

PS: RED connects via 3400 and the data flows to XG2 via 3410. So if the initial packet (3400) is correct, because there is no OSPF, it can break, after the RED t unnel is established and the packets (3410) are routed differently? Check packet capture.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Mathias Mühlbacher over 2 years ago in reply to LuCar Toni

OSPF is not connected via static "route" - I have a dedicated subnet for the RED tunnel with a /30 subnet mask.

I can also see that XG 1 & 2 are exchanging routing information.

The RED tunnel does not drop instantly as soon as there is an OSPF traffic over it - but after a couple of seconds.

And what is also weird:

If OSPF networks are being setup manually and not via the "Redistribute connected" it works without any problem.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 2 years ago in reply to Mathias Mühlbacher

Can you verify it via tcpdump/packet capture? I guess, the routes changing and therefore the tunnel will drop.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Mathias Mühlbacher over 2 years ago in reply to LuCar Toni

Hmm that might be true - theoretically:

If I redistribute my local connected interfaces I would also push my external WAN IP into OSPF and XG2 would than try to route the RED tunnel through itself rather than via WAN.

Might the be true?
Cancel
Vote Up 0 Vote Down

Cancel
+1 LuCar Toni over 2 years ago in reply to Mathias Mühlbacher

The issue could be related to the fact, that RED is "always online" (the interface at least). So the OSPF cannot differance between a hardware interface and red interfaces. And the route will be pushed to the interfaces as well.

So try to setup a route (static) to the other end of RED. It should overwrite and work.

__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Cancel
0 Mathias Mühlbacher over 2 years ago in reply to LuCar Toni

So static route

Target IP/netmask would be my external WAN IP on XG1

Gateway WAN

Interface RED

What that be right?
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 2 years ago in reply to Mathias Mühlbacher

Do you use Default Originate flag in OSPF?

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Mathias Mühlbacher over 2 years ago in reply to LuCar Toni

No
Cancel
Vote Up 0 Vote Down

Cancel
0 Mathias Mühlbacher over 2 years ago in reply to Mathias Mühlbacher

Okay your solution with a static route solved my issue!

For anyone reading this having same issues:

If the external WAN IP of primary Sophos is being distriubted via OSPF the 2nd Sophos will use it and triest to connect a RED tunnel within itself which makes it fail.

The solution is to add a static routing for the initial outgoing route:

Targe/netmaks = external WAN IP of Sophos 1.

Gateway = the WAN gateway of Sophos 2

Interface = WAN interface of Sophos 2
Cancel
Vote Up +1 Vote Down

Cancel

Reply

0 Mathias Mühlbacher over 2 years ago in reply to Mathias Mühlbacher

Okay your solution with a static route solved my issue!

For anyone reading this having same issues:

If the external WAN IP of primary Sophos is being distriubted via OSPF the 2nd Sophos will use it and triest to connect a RED tunnel within itself which makes it fail.

The solution is to add a static routing for the initial outgoing route:

Targe/netmaks = external WAN IP of Sophos 1.

Gateway = the WAN gateway of Sophos 2

Interface = WAN interface of Sophos 2
Cancel
Vote Up +1 Vote Down

Cancel

Children

No Data