Hallo in die Runde
seit geraumer Zeit versuchen wir Routen via OSPF zwischen zwei SG 230 mit Firmware SFOS 18.5.1 MR-1-Build326 (XG)
über einen RED-Tunnel auszutauschen. die OSPF Nachbarn tauschen die Routen, jedoch disconnected dann ständig der RED-Tunnel.
deaktiviere ich OSPF, steht der Tunnel.
Was kann da das Problem sein?.
gebaut haben wir es nach dieser Anleitung: support.sophos.com/.../KB-000038170
Hi Jorg, Thanks for reaching out to Sophos Community.
This seems unusual but can you check for the UDP flood on the device as RED communicates over UDP. I am just assuming that the LSA exchanges might cause this over the UDP tunnel.
If there's no flooding, Check the 'ospfd.log', 'red.log' and if possible, 'zebra.log'.
Logs can be found in /log directory from Advanced shell (Option 5 > Option 3)
Hi DeveshM,
I couldn't determine the UDP flood, here are the logs
ospfd.log
2021/11/26 12:50:06 OSPF: Packet[DD]: Neighbor 6.6.6.22: Initial DBD from Slave, ignoring.
2021/11/26 12:50:06 OSPF: Packet[DD]: Neighbor 6.6.6.22 Negotiation done (Master).
2021/11/26 12:50:06 OSPF: nsm_change_state(6.6.6.22, Loading -> Full): scheduling new router-LSA origination
2021/11/26 12:50:12 OSPF: DR-Election[1st]: Backup 6.6.6.22
2021/11/26 12:50:12 OSPF: DR-Election[1st]: DR 6.6.6.21
2021/11/26 12:50:12 OSPF: DR-Election[1st]: Backup 6.6.6.22
2021/11/26 12:50:12 OSPF: DR-Election[1st]: DR 6.6.6.21
2021/11/26 12:51:22 OSPF: nsm_change_state(6.6.6.22, Full -> Deleted): scheduling new router-LSA origination
2021/11/26 12:51:22 OSPF: DR-Election[1st]: Backup 0.0.0.0
2021/11/26 12:51:22 OSPF: DR-Election[1st]: DR 6.6.6.21
2021/11/26 12:51:46 OSPF: DR-Election[1st]: Backup 0.0.0.0
2021/11/26 12:51:46 OSPF: DR-Election[1st]: DR 6.6.6.21
2021/11/26 12:51:46 OSPF: Packet[DD]: Neighbor 6.6.6.22: Initial DBD from Slave, ignoring.
2021/11/26 12:51:46 OSPF: Packet[DD]: Neighbor 6.6.6.22 Negotiation done (Master).
2021/11/26 12:51:46 OSPF: nsm_change_state(6.6.6.22, Loading -> Full): scheduling new router-LSA origination
2021/11/26 12:51:52 OSPF: DR-Election[1st]: Backup 6.6.6.22
2021/11/26 12:51:52 OSPF: DR-Election[1st]: DR 6.6.6.21
2021/11/26 12:51:52 OSPF: DR-Election[1st]: Backup 6.6.6.22
2021/11/26 12:51:52 OSPF: DR-Election[1st]: DR 6.6.6.21
2021/11/26 12:53:02 OSPF: nsm_change_state(6.6.6.22, Full -> Deleted): scheduling new router-LSA origination
2021/11/26 12:53:02 OSPF: DR-Election[1st]: Backup 0.0.0.0
2021/11/26 12:53:02 OSPF: DR-Election[1st]: DR 6.6.6.21
2021/11/26 12:53:16 OSPF: DR-Election[1st]: Backup 0.0.0.0
2021/11/26 12:53:16 OSPF: DR-Election[1st]: DR 6.6.6.21
2021/11/26 12:53:16 OSPF: Packet[DD]: Neighbor 6.6.6.22: Initial DBD from Slave, ignoring.
2021/11/26 12:53:16 OSPF: Packet[DD]: Neighbor 6.6.6.22 Negotiation done (Master).
2021/11/26 12:53:16 OSPF: nsm_change_state(6.6.6.22, Loading -> Full): scheduling new router-LSA origination
2021/11/26 12:53:22 OSPF: DR-Election[1st]: Backup 6.6.6.22
2021/11/26 12:53:22 OSPF: DR-Election[1st]: DR 6.6.6.21
2021/11/26 12:53:22 OSPF: DR-Election[1st]: Backup 6.6.6.22
2021/11/26 12:53:22 OSPF: DR-Election[1st]: DR 6.6.6.21
2021/11/26 12:54:32 OSPF: nsm_change_state(6.6.6.22, Full -> Deleted): scheduling new router-LSA origination
red.log
Fri Nov 26 12:47:19 2021 REDD INFO: Red devices: Connected: 1 Disconnected 0 Enabled: 1 Disabled: 0 Fri Nov 26 12:48:23 2021 REDD INFO: server: New connection from 109.41.130.59 with ID b9ab485b3368a48 (cipher AES256-SHA256), rev1 Reading REDv2 key from STDIN: Reading REDv2 key from STDIN: Fri Nov 26 12:49:55 2021 REDD INFO: server: New connection from 109.41.130.59 with ID b9ab485b3368a48 (cipher AES256-SHA256), rev1 Reading REDv2 key from STDIN: Reading REDv2 key from STDIN: Fri Nov 26 12:51:38 2021 REDD INFO: server: New connection from 109.41.130.59 with ID b9ab485b3368a48 (cipher AES256-SHA256), rev1 Reading REDv2 key from STDIN: Reading REDv2 key from STDIN: Fri Nov 26 12:52:20 2021 REDD INFO: Red devices: Connected: 1 Disconnected 0 Enabled: 1 Disabled: 0 Fri Nov 26 12:53:10 2021 REDD INFO: server: New connection from 109.41.130.59 with ID b9ab485b3368a48 (cipher AES256-SHA256), rev1 Reading REDv2 key from STDIN: Reading REDv2 key from STDIN: Fri Nov 26 12:54:42 2021 REDD INFO: server: New connection from 109.41.130.59 with ID b9ab485b3368a48 (cipher AES256-SHA256), rev1 Reading REDv2 key from STDIN: Reading REDv2 key from STDIN: Fri Nov 26 12:56:24 2021 REDD INFO: server: New connection from 109.41.130.59 with ID b9ab485b3368a48 (cipher AES256-SHA256), rev1 Reading REDv2 key from STDIN: Reading REDv2 key from STDIN: Fri Nov 26 12:57:21 2021 REDD INFO: Red devices: Connected: 0 Disconnected 1 Enabled: 1 Disabled: 0 Fri Nov 26 12:57:57 2021 REDD INFO: server: New connection from 109.41.130.59 with ID b9ab485b3368a48 (cipher AES256-SHA256), rev1 Reading REDv2 key from STDIN: Reading REDv2 key from STDIN: Fri Nov 26 12:59:29 2021 REDD INFO: server: New connection from 109.41.130.59 with ID b9ab485b3368a48 (cipher AES256-SHA256), rev1 Reading REDv2 key from STDIN: Reading REDv2 key from STDIN: Fri Nov 26 13:01:01 2021 REDD INFO: server: New connection from 109.41.130.59 with ID b9ab485b3368a48 (cipher AES256-SHA256), rev1 Reading REDv2 key from STDIN: Reading REDv2 key from STDIN: Fri Nov 26 13:02:22 2021 REDD INFO: Red devices: Connected: 0 Disconnected 1 Enabled: 1 Disabled: 0 Fri Nov 26 13:02:33 2021 REDD INFO: server: New connection from 109.41.130.59 with ID b9ab485b3368a48 (cipher AES256-SHA256), rev1 Reading REDv2 key from STDIN: Reading REDv2 key from STDIN:
zebra.log
2021/10/13 10:44:47 ZEBRA: ####The file fd = 9, Added ZEBRA read thread successfully 2021/10/13 10:44:47 ZEBRA: Zebra 0.99.22 starting: vty@2709 2021/10/13 10:44:47 ZEBRA: client 10 says hello and bids fair to announce only rip routes 2021/10/13 10:44:47 ZEBRA: client 11 says hello and bids fair to announce only bgp routes 2021/10/13 10:44:50 ZEBRA: client 13 says hello and bids fair to announce only ospf routes 2021/10/13 11:37:07 ZEBRA: Terminating on signal 2021/10/13 11:37:07 ZEBRA: IRDP: Received shutdown notification. 2021/10/13 11:39:25 ZEBRA: ####The file fd = 9, Added ZEBRA read thread successfully 2021/10/13 11:39:25 ZEBRA: Zebra 0.99.22 starting: vty@2709 2021/10/13 11:39:25 ZEBRA: client 10 says hello and bids fair to announce only bgp routes 2021/10/13 11:39:35 ZEBRA: client 12 says hello and bids fair to announce only rip routes 2021/10/13 11:40:23 ZEBRA: client 13 says hello and bids fair to announce only ospf routes 2021/10/13 13:00:49 ZEBRA: Terminating on signal 2021/10/13 13:00:49 ZEBRA: IRDP: Received shutdown notification. 2021/10/13 13:02:19 ZEBRA: ####The file fd = 9, Added ZEBRA read thread successfully 2021/10/13 13:02:19 ZEBRA: Zebra 0.99.22 starting: vty@2709 2021/10/13 13:02:19 ZEBRA: client 10 says hello and bids fair to announce only rip routes 2021/10/13 13:02:19 ZEBRA: client 11 says hello and bids fair to announce only bgp routes 2021/10/13 13:03:16 ZEBRA: client 13 says hello and bids fair to announce only ospf routes 2021/10/13 14:28:49 ZEBRA: ####The file fd = 9, Added ZEBRA read thread successfully 2021/10/13 14:28:49 ZEBRA: Zebra 0.99.22 starting: vty@2709 2021/10/13 14:28:49 ZEBRA: client 10 says hello and bids fair to announce only rip routes 2021/10/13 14:28:49 ZEBRA: client 11 says hello and bids fair to announce only bgp routes 2021/10/13 14:28:51 ZEBRA: client 13 says hello and bids fair to announce only ospf routes 2021/10/14 08:02:48 ZEBRA: ####The file fd = 9, Added ZEBRA read thread successfully 2021/10/14 08:02:48 ZEBRA: Zebra 0.99.22 starting: vty@2709 2021/10/14 08:02:48 ZEBRA: client 10 says hello and bids fair to announce only bgp routes 2021/10/14 08:02:48 ZEBRA: client 12 says hello and bids fair to announce only rip routes 2021/10/14 08:03:44 ZEBRA: client 13 says hello and bids fair to announce only ospf routes 2021/10/14 15:00:31 ZEBRA: ####The file fd = 9, Added ZEBRA read thread successfully 2021/10/14 15:00:31 ZEBRA: Zebra 0.99.22 starting: vty@2709 2021/10/14 15:00:31 ZEBRA: client 10 says hello and bids fair to announce only bgp routes 2021/10/14 15:00:32 ZEBRA: client 12 says hello and bids fair to announce only rip routes 2021/10/14 15:00:33 ZEBRA: client 13 says hello and bids fair to announce only ospf routes 2021/10/14 15:27:22 ZEBRA: ####Applied static route successfully 2021/10/14 16:33:04 ZEBRA: client 13 disconnected. 0 ospf routes removed from the rib 2021/10/14 16:33:05 ZEBRA: client 13 says hello and bids fair to announce only ospf routes 2021/10/30 15:42:59 ZEBRA: ####The file fd = 9, Added ZEBRA read thread successfully 2021/10/30 15:42:59 ZEBRA: Zebra 0.99.22 starting: vty@2709 2021/10/30 15:43:00 ZEBRA: client 10 says hello and bids fair to announce only bgp routes 2021/10/30 15:43:03 ZEBRA: client 12 says hello and bids fair to announce only ospf routes 2021/10/30 15:43:09 ZEBRA: client 13 says hello and bids fair to announce only rip routes 2021/10/30 15:43:34 ZEBRA: ####Applied static route successfully
SG210_WP03_SFOS 18.5.1 MR-1-Build326# ls -lah /var/cores drwxrwxrwt 2 root 0 4.0K Oct 13 11:43 . drwxr-xr-x 36 root 0 4.0K Nov 27 02:49 ..
Wenn der Tunnel neu aufgebaut wird, wird er von der anderen Seite inititiert.
Wahrscheinlich, wenn die Routen kommen, verändern Sie das verhalten des Routing Stacks.
Was ist deine Routing Precedence und wenn du OSPF Routen pushst, wie erreich dann die Firewall, die die RED Verbindung aufbaut, die andere Firewall?
__________________________________________________________________________________________________________________
die precedence steht immer auf
1. Staic
2. SD-WAN
3. VPN
Wenn du RED Site to Site aufbaust und dann OSPF aktivierst, vergleiche bitte auf der Advanced shell den ip route output.
ip r
__________________________________________________________________________________________________________________
an der RED Route ändert sich nichts auch an den internen routen nicht
SG230_WP02_SFOS 18.5.1 MR-1-Build326# ip r 6.6.6.20/30 dev reds1 proto kernel scope link src 6.6.6.22 10.255.0.0/24 dev GuestAP proto kernel scope link src 10.255.0.1 linkdown 172.16.40.0/24 dev PortE0 proto kernel scope link src 172.16.40.1 172.17.0.0/24 dev PortE1 proto kernel scope link src 172.17.0.166
SG230_WP02_SFOS 18.5.1 MR-1-Build326# ip r 1.1.1.1 via 6.6.6.21 dev reds1 proto zebra metric 10 6.6.6.0/29 via 6.6.6.21 dev reds1 proto zebra metric 10 6.6.6.8/29 via 6.6.6.21 dev reds1 proto zebra metric 10 6.6.6.16/29 via 6.6.6.21 dev reds1 proto zebra metric 10 6.6.6.20/30 dev reds1 proto kernel scope link src 6.6.6.22 6.6.6.24/29 via 6.6.6.21 dev reds1 proto zebra metric 10 6.6.6.32/29 via 6.6.6.21 dev reds1 proto zebra metric 10 10.6.135.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 10.10.10.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 10.10.11.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 10.10.12.0/24 via 6.6.6.21 dev reds1 proto zebra metric 20 10.10.20.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 10.18.32.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 10.20.10.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 10.50.1.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 10.50.10.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 10.51.1.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 10.81.234.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 10.110.0.0/16 via 6.6.6.21 dev reds1 proto zebra metric 10 10.112.129.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 10.242.2.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 10.243.2.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 10.244.2.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 10.255.0.0/24 dev GuestAP proto kernel scope link src 10.255.0.1 linkdown 87.129.28.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 87.129.28.64/29 via 6.6.6.21 dev reds1 proto zebra metric 20 147.204.30.17 via 6.6.6.21 dev reds1 proto zebra metric 10 159.232.0.0/16 via 6.6.6.21 dev reds1 proto zebra metric 10 172.16.1.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 172.16.10.0/29 via 6.6.6.21 dev reds1 proto zebra metric 21 172.16.10.8/29 via 6.6.6.21 dev reds1 proto zebra metric 20 172.16.40.0/24 dev PortE0 proto kernel scope link src 172.16.40.1 172.17.0.0/24 dev PortE1 proto kernel scope link src 172.17.0.166 172.20.20.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 172.30.10.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 192.168.0.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 192.168.52.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 192.168.53.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 192.168.55.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 192.168.56.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 192.168.63.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 192.168.100.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 192.168.143.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 192.168.144.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 192.168.145.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 192.168.146.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 192.168.148.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 192.168.150.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 192.168.152.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 192.168.153.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 192.168.155.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 192.168.156.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10 192.168.170.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
Ich glaube das Problem gefunden zu haben, mein lieber Kollege hat die falsche Netzmaske in unserer Haupt-Sophos für den WANanschluss konfiguriert.
werde den dann mal ändern und schauen.
also trotz Anpassung passiert das noch, via OSPF bekommt er ja die Route zur externen IP, über der er sich via RED verbindet