Sophos XG OSPF über RED Verbindungsabbrüche

Hallo in die Runde

seit geraumer Zeit versuchen wir Routen via OSPF zwischen zwei SG 230 mit Firmware SFOS 18.5.1 MR-1-Build326 (XG)

über einen RED-Tunnel auszutauschen. die OSPF Nachbarn tauschen die Routen, jedoch disconnected dann ständig der RED-Tunnel.

deaktiviere ich OSPF, steht der Tunnel.

Was kann da das Problem sein?.

gebaut haben wir es nach dieser Anleitung:  support.sophos.com/.../KB-000038170

  • Hi Jorg, Thanks for reaching out to Sophos Community.

    This seems unusual but can you check for the UDP flood on the device as RED communicates over UDP. I am just assuming that the LSA exchanges might cause this over the UDP tunnel.

    If there's no flooding, Check the 'ospfd.log', 'red.log' and if possible, 'zebra.log'. 

    Logs can be found in /log directory from Advanced shell (Option 5 > Option 3)

    Devesh Mishra
    Global Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.
  • Hi DeveshM,

    I couldn't determine the UDP flood, here are the logs

    ospfd.log

    2021/11/26 12:50:06 OSPF: Packet[DD]: Neighbor 6.6.6.22: Initial DBD from Slave, ignoring.
    2021/11/26 12:50:06 OSPF: Packet[DD]: Neighbor 6.6.6.22 Negotiation done (Master).
    2021/11/26 12:50:06 OSPF: nsm_change_state(6.6.6.22, Loading -> Full): scheduling new router-LSA origination
    2021/11/26 12:50:12 OSPF: DR-Election[1st]: Backup 6.6.6.22
    2021/11/26 12:50:12 OSPF: DR-Election[1st]: DR     6.6.6.21
    2021/11/26 12:50:12 OSPF: DR-Election[1st]: Backup 6.6.6.22
    2021/11/26 12:50:12 OSPF: DR-Election[1st]: DR     6.6.6.21
    2021/11/26 12:51:22 OSPF: nsm_change_state(6.6.6.22, Full -> Deleted): scheduling new router-LSA origination
    2021/11/26 12:51:22 OSPF: DR-Election[1st]: Backup 0.0.0.0
    2021/11/26 12:51:22 OSPF: DR-Election[1st]: DR     6.6.6.21
    2021/11/26 12:51:46 OSPF: DR-Election[1st]: Backup 0.0.0.0
    2021/11/26 12:51:46 OSPF: DR-Election[1st]: DR     6.6.6.21
    2021/11/26 12:51:46 OSPF: Packet[DD]: Neighbor 6.6.6.22: Initial DBD from Slave, ignoring.
    2021/11/26 12:51:46 OSPF: Packet[DD]: Neighbor 6.6.6.22 Negotiation done (Master).
    2021/11/26 12:51:46 OSPF: nsm_change_state(6.6.6.22, Loading -> Full): scheduling new router-LSA origination
    2021/11/26 12:51:52 OSPF: DR-Election[1st]: Backup 6.6.6.22
    2021/11/26 12:51:52 OSPF: DR-Election[1st]: DR     6.6.6.21
    2021/11/26 12:51:52 OSPF: DR-Election[1st]: Backup 6.6.6.22
    2021/11/26 12:51:52 OSPF: DR-Election[1st]: DR     6.6.6.21
    2021/11/26 12:53:02 OSPF: nsm_change_state(6.6.6.22, Full -> Deleted): scheduling new router-LSA origination
    2021/11/26 12:53:02 OSPF: DR-Election[1st]: Backup 0.0.0.0
    2021/11/26 12:53:02 OSPF: DR-Election[1st]: DR     6.6.6.21
    2021/11/26 12:53:16 OSPF: DR-Election[1st]: Backup 0.0.0.0
    2021/11/26 12:53:16 OSPF: DR-Election[1st]: DR     6.6.6.21
    2021/11/26 12:53:16 OSPF: Packet[DD]: Neighbor 6.6.6.22: Initial DBD from Slave, ignoring.
    2021/11/26 12:53:16 OSPF: Packet[DD]: Neighbor 6.6.6.22 Negotiation done (Master).
    2021/11/26 12:53:16 OSPF: nsm_change_state(6.6.6.22, Loading -> Full): scheduling new router-LSA origination
    2021/11/26 12:53:22 OSPF: DR-Election[1st]: Backup 6.6.6.22
    2021/11/26 12:53:22 OSPF: DR-Election[1st]: DR     6.6.6.21
    2021/11/26 12:53:22 OSPF: DR-Election[1st]: Backup 6.6.6.22
    2021/11/26 12:53:22 OSPF: DR-Election[1st]: DR     6.6.6.21
    2021/11/26 12:54:32 OSPF: nsm_change_state(6.6.6.22, Full -> Deleted): scheduling new router-LSA origination

    red.log

    Fri Nov 26 12:47:19 2021 REDD INFO: Red devices: Connected: 1 Disconnected 0 Enabled: 1 Disabled: 0
    Fri Nov 26 12:48:23 2021 REDD INFO: server: New connection from 109.41.130.59 with ID b9ab485b3368a48 (cipher AES256-SHA256), rev1
    Reading REDv2 key from STDIN:
    Reading REDv2 key from STDIN:
    Fri Nov 26 12:49:55 2021 REDD INFO: server: New connection from 109.41.130.59 with ID b9ab485b3368a48 (cipher AES256-SHA256), rev1
    Reading REDv2 key from STDIN:
    Reading REDv2 key from STDIN:
    Fri Nov 26 12:51:38 2021 REDD INFO: server: New connection from 109.41.130.59 with ID b9ab485b3368a48 (cipher AES256-SHA256), rev1
    Reading REDv2 key from STDIN:
    Reading REDv2 key from STDIN:
    Fri Nov 26 12:52:20 2021 REDD INFO: Red devices: Connected: 1 Disconnected 0 Enabled: 1 Disabled: 0
    Fri Nov 26 12:53:10 2021 REDD INFO: server: New connection from 109.41.130.59 with ID b9ab485b3368a48 (cipher AES256-SHA256), rev1
    Reading REDv2 key from STDIN:
    Reading REDv2 key from STDIN:
    Fri Nov 26 12:54:42 2021 REDD INFO: server: New connection from 109.41.130.59 with ID b9ab485b3368a48 (cipher AES256-SHA256), rev1
    Reading REDv2 key from STDIN:
    Reading REDv2 key from STDIN:
    Fri Nov 26 12:56:24 2021 REDD INFO: server: New connection from 109.41.130.59 with ID b9ab485b3368a48 (cipher AES256-SHA256), rev1
    Reading REDv2 key from STDIN:
    Reading REDv2 key from STDIN:
    Fri Nov 26 12:57:21 2021 REDD INFO: Red devices: Connected: 0 Disconnected 1 Enabled: 1 Disabled: 0
    Fri Nov 26 12:57:57 2021 REDD INFO: server: New connection from 109.41.130.59 with ID b9ab485b3368a48 (cipher AES256-SHA256), rev1
    Reading REDv2 key from STDIN:
    Reading REDv2 key from STDIN:
    Fri Nov 26 12:59:29 2021 REDD INFO: server: New connection from 109.41.130.59 with ID b9ab485b3368a48 (cipher AES256-SHA256), rev1
    Reading REDv2 key from STDIN:
    Reading REDv2 key from STDIN:
    Fri Nov 26 13:01:01 2021 REDD INFO: server: New connection from 109.41.130.59 with ID b9ab485b3368a48 (cipher AES256-SHA256), rev1
    Reading REDv2 key from STDIN:
    Reading REDv2 key from STDIN:
    Fri Nov 26 13:02:22 2021 REDD INFO: Red devices: Connected: 0 Disconnected 1 Enabled: 1 Disabled: 0
    Fri Nov 26 13:02:33 2021 REDD INFO: server: New connection from 109.41.130.59 with ID b9ab485b3368a48 (cipher AES256-SHA256), rev1
    Reading REDv2 key from STDIN:
    Reading REDv2 key from STDIN:
    

    zebra.log

    2021/10/13 10:44:47 ZEBRA: ####The file fd = 9, Added ZEBRA read thread successfully
    2021/10/13 10:44:47 ZEBRA: Zebra 0.99.22 starting: vty@2709
    2021/10/13 10:44:47 ZEBRA: client 10 says hello and bids fair to announce only rip routes
    2021/10/13 10:44:47 ZEBRA: client 11 says hello and bids fair to announce only bgp routes
    2021/10/13 10:44:50 ZEBRA: client 13 says hello and bids fair to announce only ospf routes
    2021/10/13 11:37:07 ZEBRA: Terminating on signal
    2021/10/13 11:37:07 ZEBRA: IRDP: Received shutdown notification.
    2021/10/13 11:39:25 ZEBRA: ####The file fd = 9, Added ZEBRA read thread successfully
    2021/10/13 11:39:25 ZEBRA: Zebra 0.99.22 starting: vty@2709
    2021/10/13 11:39:25 ZEBRA: client 10 says hello and bids fair to announce only bgp routes
    2021/10/13 11:39:35 ZEBRA: client 12 says hello and bids fair to announce only rip routes
    2021/10/13 11:40:23 ZEBRA: client 13 says hello and bids fair to announce only ospf routes
    2021/10/13 13:00:49 ZEBRA: Terminating on signal
    2021/10/13 13:00:49 ZEBRA: IRDP: Received shutdown notification.
    2021/10/13 13:02:19 ZEBRA: ####The file fd = 9, Added ZEBRA read thread successfully
    2021/10/13 13:02:19 ZEBRA: Zebra 0.99.22 starting: vty@2709
    2021/10/13 13:02:19 ZEBRA: client 10 says hello and bids fair to announce only rip routes
    2021/10/13 13:02:19 ZEBRA: client 11 says hello and bids fair to announce only bgp routes
    2021/10/13 13:03:16 ZEBRA: client 13 says hello and bids fair to announce only ospf routes
    2021/10/13 14:28:49 ZEBRA: ####The file fd = 9, Added ZEBRA read thread successfully
    2021/10/13 14:28:49 ZEBRA: Zebra 0.99.22 starting: vty@2709
    2021/10/13 14:28:49 ZEBRA: client 10 says hello and bids fair to announce only rip routes
    2021/10/13 14:28:49 ZEBRA: client 11 says hello and bids fair to announce only bgp routes
    2021/10/13 14:28:51 ZEBRA: client 13 says hello and bids fair to announce only ospf routes
    2021/10/14 08:02:48 ZEBRA: ####The file fd = 9, Added ZEBRA read thread successfully
    2021/10/14 08:02:48 ZEBRA: Zebra 0.99.22 starting: vty@2709
    2021/10/14 08:02:48 ZEBRA: client 10 says hello and bids fair to announce only bgp routes
    2021/10/14 08:02:48 ZEBRA: client 12 says hello and bids fair to announce only rip routes
    2021/10/14 08:03:44 ZEBRA: client 13 says hello and bids fair to announce only ospf routes
    2021/10/14 15:00:31 ZEBRA: ####The file fd = 9, Added ZEBRA read thread successfully
    2021/10/14 15:00:31 ZEBRA: Zebra 0.99.22 starting: vty@2709
    2021/10/14 15:00:31 ZEBRA: client 10 says hello and bids fair to announce only bgp routes
    2021/10/14 15:00:32 ZEBRA: client 12 says hello and bids fair to announce only rip routes
    2021/10/14 15:00:33 ZEBRA: client 13 says hello and bids fair to announce only ospf routes
    2021/10/14 15:27:22 ZEBRA: ####Applied static route successfully
    2021/10/14 16:33:04 ZEBRA: client 13 disconnected. 0 ospf routes removed from the rib
    2021/10/14 16:33:05 ZEBRA: client 13 says hello and bids fair to announce only ospf routes
    2021/10/30 15:42:59 ZEBRA: ####The file fd = 9, Added ZEBRA read thread successfully
    2021/10/30 15:42:59 ZEBRA: Zebra 0.99.22 starting: vty@2709
    2021/10/30 15:43:00 ZEBRA: client 10 says hello and bids fair to announce only bgp routes
    2021/10/30 15:43:03 ZEBRA: client 12 says hello and bids fair to announce only ospf routes
    2021/10/30 15:43:09 ZEBRA: client 13 says hello and bids fair to announce only rip routes
    2021/10/30 15:43:34 ZEBRA: ####Applied static route successfully
    

  • Hey Jorg, Logs seem normal apart from a disconnection log in the red. Can you check if there's a core dump or not.

    -> ls -lah /var/cores/

    Devesh Mishra
    Global Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.
  • SG210_WP03_SFOS 18.5.1 MR-1-Build326# ls -lah /var/cores
    drwxrwxrwt    2 root     0           4.0K Oct 13 11:43 .
    drwxr-xr-x   36 root     0           4.0K Nov 27 02:49 ..

  • Wenn der Tunnel neu aufgebaut wird, wird er von der anderen Seite inititiert. 
    Wahrscheinlich, wenn die Routen kommen, verändern Sie das verhalten des Routing Stacks.

    Was ist deine Routing Precedence und wenn du OSPF Routen pushst, wie erreich dann die Firewall, die die RED Verbindung aufbaut, die andere Firewall? 

    __________________________________________________________________________________________________________________

  • die precedence steht immer auf 

    1. Staic

    2. SD-WAN

    3. VPN 

  • Wenn du RED Site to Site aufbaust und dann OSPF aktivierst, vergleiche bitte auf der Advanced shell den ip route output. 

    ip r

    __________________________________________________________________________________________________________________

  • an der RED Route ändert sich nichts auch an den internen routen nicht

    SG230_WP02_SFOS 18.5.1 MR-1-Build326# ip r
    6.6.6.20/30 dev reds1 proto kernel scope link src 6.6.6.22
    10.255.0.0/24 dev GuestAP proto kernel scope link src 10.255.0.1 linkdown
    172.16.40.0/24 dev PortE0 proto kernel scope link src 172.16.40.1
    172.17.0.0/24 dev PortE1 proto kernel scope link src 172.17.0.166
    SG230_WP02_SFOS 18.5.1 MR-1-Build326# ip r
    1.1.1.1 via 6.6.6.21 dev reds1 proto zebra metric 10
    6.6.6.0/29 via 6.6.6.21 dev reds1 proto zebra metric 10
    6.6.6.8/29 via 6.6.6.21 dev reds1 proto zebra metric 10
    6.6.6.16/29 via 6.6.6.21 dev reds1 proto zebra metric 10
    6.6.6.20/30 dev reds1 proto kernel scope link src 6.6.6.22
    6.6.6.24/29 via 6.6.6.21 dev reds1 proto zebra metric 10
    6.6.6.32/29 via 6.6.6.21 dev reds1 proto zebra metric 10
    10.6.135.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    10.10.10.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    10.10.11.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    10.10.12.0/24 via 6.6.6.21 dev reds1 proto zebra metric 20
    10.10.20.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    10.18.32.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    10.20.10.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    10.50.1.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    10.50.10.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    10.51.1.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    10.81.234.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    10.110.0.0/16 via 6.6.6.21 dev reds1 proto zebra metric 10
    10.112.129.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    10.242.2.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    10.243.2.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    10.244.2.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    10.255.0.0/24 dev GuestAP proto kernel scope link src 10.255.0.1 linkdown
    87.129.28.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    87.129.28.64/29 via 6.6.6.21 dev reds1 proto zebra metric 20
    147.204.30.17 via 6.6.6.21 dev reds1 proto zebra metric 10
    159.232.0.0/16 via 6.6.6.21 dev reds1 proto zebra metric 10
    172.16.1.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    172.16.10.0/29 via 6.6.6.21 dev reds1 proto zebra metric 21
    172.16.10.8/29 via 6.6.6.21 dev reds1 proto zebra metric 20
    172.16.40.0/24 dev PortE0 proto kernel scope link src 172.16.40.1
    172.17.0.0/24 dev PortE1 proto kernel scope link src 172.17.0.166
    172.20.20.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    172.30.10.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    192.168.0.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    192.168.52.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    192.168.53.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    192.168.55.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    192.168.56.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    192.168.63.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    192.168.100.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    192.168.143.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    192.168.144.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    192.168.145.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    192.168.146.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    192.168.148.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    192.168.150.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    192.168.152.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    192.168.153.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    192.168.155.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    192.168.156.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    192.168.170.0/24 via 6.6.6.21 dev reds1 proto zebra metric 10
    

  • Ich glaube das Problem gefunden zu haben, mein lieber Kollege hat die falsche Netzmaske in unserer Haupt-Sophos für den WANanschluss konfiguriert.

    werde den dann mal ändern und schauen.

  • also trotz Anpassung passiert das noch, via OSPF bekommt er ja die Route zur externen IP, über der er sich via RED verbindet