Routing

last person joined: yesterday 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  OSPF packet ignored: netmask 0.0.0.0 mismatch

    Posted 09-15-2014 02:13

    Hi,

     

    I'm running OSPF over IPSEC VPN between a few sites. This is a multipoint VPN with 1 SRX1400 (HA cluster) and 7 SRX210. Everything is running 12.1X44-D35.5. I configured everything a few weeks ago and it has been running great until a few days ago. One of the branch SRX's was rebooted, the VPN came up, but OSPF didn't work.

     

    So I started to look at the log on the SRX1400 and found the following after enabling traceoptions for OSPF:

     

    Sep 15 11:48:49.758419 OSPF rcvd Hello 10.22.22.165 -> 224.0.0.5 (st0.0 IFL 83 area 0.0.0.0)
    Sep 15 11:48:49.758454 Version 2, length 44, ID 192.168.22.107, area 0.0.0.0
    Sep 15 11:48:49.758484 checksum 0x0, authtype 2
    Sep 15 11:48:49.758516 mask 0.0.0.0, hello_ivl 10, opts 0x12, prio 128
    Sep 15 11:48:49.758546 dead_ivl 40, DR 0.0.0.0, BDR 0.0.0.0
    Sep 15 11:48:49.758583 OSPF restart signaling: Received hello with LLS data from nbr ip=10.22.22.165 id=192.168.22.107.
    Sep 15 11:48:49.758617 OSPF packet ignored: netmask 0.0.0.0 mismatch from 10.22.22.165 on intf st0.0 area 0.0.0.0

     Um, netmask mismatch. Odd. I checked the configuration on the SRX210 and compared it to the configuration on the SRX1400, but the netmasks do match.

     

    The SRX210 (10.22.22.165) is apparently sending Hello's but the SRX1400 (10.22.22.161) ignores them and the OSPF adjacency is never formed.

     

    So we tried to reboot a different SRX210, and boom, same issue. 😞

     

    I found the following Juniper KB article, but it won't help me much: http://kb.juniper.net/InfoCenter/index?page=content&id=KB23533&actp=RSS

     

    I've included the relevant configuration from the SRX1400 and the SRX210 below for reference. Can anyone see what we've done wrong?

     

    SRX1400

    version 12.1X44-D35.5;
    system {
        host-name SRX1400;
        syslog {
            user * {
                any emergency;
            }
            file messages {
                any notice;
                authorization info;
            }
            file interactive-commands {
                interactive-commands any;
            }
        }
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    chassis {
        cluster {
            control-link-recovery;
            reth-count 3;
            redundancy-group 0 {
                node 0 priority 254;
                node 1 priority 1;
            }
            redundancy-group 1 {
                node 0 priority 254;
                node 1 priority 1;
                interface-monitor {
                    ge-0/0/6 weight 255;
                    ge-4/0/6 weight 255;
                    xe-0/0/7 weight 255;
                    xe-4/0/7 weight 255;
                    ge-2/0/0 weight 255;
                    ge-6/0/0 weight 255;
                }
            }
        }
    }
    interfaces {
        ge-0/0/6 {
            gigether-options {
                redundant-parent reth1;
            }
        }
        xe-0/0/7 {
            gigether-options {
                redundant-parent reth2;
            }
        }
        ge-2/0/0 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        ge-4/0/6 {
            gigether-options {
                redundant-parent reth1;
            }
        }
        xe-4/0/7 {
            gigether-options {
                redundant-parent reth2;
            }
        }
        ge-6/0/0 {
            gigether-options {
                redundant-parent reth0;
            }
        }
        fab0 {
            fabric-options {
                member-interfaces {
                    ge-0/0/0;
                    ge-0/0/1;
                }
            }
        }
        fab1 {
            fabric-options {
                member-interfaces {
                    ge-4/0/0;
                    ge-4/0/1;
                }
            }
        }
        lo0 {
            unit 0 {
                family inet {
                    address 192.168.22.240/32;
                }
            }
        }
        reth0 {
            redundant-ether-options {
                redundancy-group 1;
            }
            unit 0 {
                family inet {
                    address EXTERNAL-IP/26
                }
            }
        }
        reth1 {
            redundant-ether-options {
                redundancy-group 1;
            }
            unit 0 {
                family inet {
                    address 10.22.22.2/30;
                }
            }
        }
        reth2 {
            redundant-ether-options {
                redundancy-group 1;
            }
        }
        st0 {
            unit 0 {
                multipoint;
                family inet {
                    address 10.22.22.161/27;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop EXTERNAL-ROUTER;
        }
        router-id 192.168.22.240;
    }
    protocols {
        ospf {
            traceoptions {
                file ospf-log size 5m;
                flag all;
            }
            area 0.0.0.0 {
                interface lo0.0 {
                    passive;
                }
                interface reth1.0 {
                    authentication {
    #                    md5 1 key <removed> SECRET-DATA */;
                    }
                }
                interface st0.0 {
                    authentication {
    #                    md5 1 key <removed> SECRET-DATA */;
                    }
                }
            }
        }
    }
    security {
        ike {
            proposal Remote-Office-PSK {
                authentication-method pre-shared-keys;
                dh-group group2;
                authentication-algorithm sha1;
                encryption-algorithm 3des-cbc;
                lifetime-seconds 86400;
            }
            policy Remote-Office-Static {
                mode main;
                proposals Remote-Office-PSK;
    #            pre-shared-key ascii-text <removed> SECRET-DATA */;
            }
            gateway XXXXX {
                ike-policy Remote-Office-Static;
                address REMOVED;
                dead-peer-detection {
                    interval 10;
                    threshold 3;
                }
                external-interface reth0.0;
            }
        }
        ipsec {
            proposal Remote-Offices {
                protocol esp;
                authentication-algorithm hmac-sha1-96;
                encryption-algorithm 3des-cbc;
                lifetime-seconds 3600;
            }
            policy Remote-Offices {
                proposals Remote-Offices;
            }
            vpn XXXXX {
                bind-interface st0.0;
                ike {
                    gateway XXXXX;
                    proxy-identity {
                        local 0.0.0.0/0;
                        remote 0.0.0.0/0;
                        service any;
                    }
                    ipsec-policy Remote-Offices;
                }
                establish-tunnels immediately;
            }
        }
        zones {
            security-zone trusted {
                interfaces {
                    reth1.0 {
                        host-inbound-traffic {
                            system-services {
                                ssh;
                                ping;
                                traceroute;
                            }
                            protocols {
                                ospf;
                            }
                        }
                    }
                }
            }
            security-zone internet {
                interfaces {
                    reth0.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                traceroute;
                                ike;
                            }
                        }
                    }
                }
            }
            security-zone vpn {
                interfaces {
                    st0.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                traceroute;
                                ssh;
                                ike;
                                snmp;
                            }
                            protocols {
                                ospf;
                            }
                        }
                    }
                }
            }
        }
    }

     

     

    SRX210

    version 12.1X44-D35.5;
    system {
        host-name SRX210;
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any critical;
                authorization info;
            }
            file interactive-commands {
                interactive-commands error;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address EXTERNAL-IP/30;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family inet {
                    address 10.22.107.1/30;
                }
            }
        }
        lo0 {
            unit 0 {
                family inet {
                    address 192.168.22.107/32;
                }
            }
        }
        st0 {
            unit 0 {
                family inet {
                    address 10.22.22.165/27;
                }
            }
        }
    }
    routing-options {
        router-id 192.168.22.107;
    }
    protocols {
        ospf {
            area 0.0.0.0 {
                interface lo0.0 {
                    passive;
                }
                interface st0.0 {
                    authentication {
    #                    md5 1 key <removed> SECRET-DATA */;
                    }
                }
            }
        }
    }
    security {
        ike {
            proposal Remote-Office-PSK {
                authentication-method pre-shared-keys;
                dh-group group2;
                authentication-algorithm sha1;
                encryption-algorithm 3des-cbc;
                lifetime-seconds 86400;
            }
            policy Remote-Office-Static {
                mode main;
                proposals Remote-Office-PSK;
    #            pre-shared-key ascii-text <removed> SECRET-DATA */;
            }
            gateway DCFW {
                ike-policy Remote-Office-Static;
                address REMOVED;
                dead-peer-detection {
                    interval 10;
                    threshold 3;
                }
                external-interface ge-0/0/0.0;
            }
        }
        ipsec {
            proposal Remote-Offices {
                protocol esp;
                authentication-algorithm hmac-sha1-96;
                encryption-algorithm 3des-cbc;
                lifetime-seconds 3600;
            }
            policy Remote-Offices {
                proposals Remote-Offices;
            }
            vpn DC {
                bind-interface st0.0;
                ike {
                    gateway DCFW;
                    proxy-identity {
                        local 0.0.0.0/0;
                        remote 0.0.0.0/0;
                        service any;
                    }
                    ipsec-policy Remote-Offices;
                }
            }
        }
        zones {
            security-zone ext {
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                traceroute;
                                ike;
                            }
                        }
                    }
                }
            }
            security-zone vpn {
                interfaces {
                    st0.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                traceroute;
                                ssh;
                                ike;
                                snmp;
                            }
                            protocols {
                                ospf;
                            }
                        }
                    }
                }
            }
            security-zone int {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/1.0;
                }
            }
        }
    }

     



  • 2.  RE: OSPF packet ignored: netmask 0.0.0.0 mismatch

     
    Posted 09-15-2014 07:58

    Hi joeld,

     

    Can you please provide the output for command "show ospf interface detail" from both the SRX?

     

    Regards

    Surya



  • 3.  RE: OSPF packet ignored: netmask 0.0.0.0 mismatch

    Posted 09-15-2014 10:21

    Hi,

     

    I can only access the SRX1400 right now, here's the output:

     

    > show ospf interface detail
    Interface           State   Area            DR ID           BDR ID          Nbrs
    lo0.0               DRother 0.0.0.0         0.0.0.0         0.0.0.0            0
      Type: LAN, Address: 192.168.22.240, Mask: 255.255.255.255, MTU: 65535, Cost: 0
      Adj count: 0, Passive
      Hello: 10, Dead: 40, ReXmit: 5, Not Stub
      Auth type: None
      Protection type: None
      Topology default (ID 0) -> Passive, Cost: 0
    reth1.0             BDR     0.0.0.0         192.168.22.254  192.168.22.240     1
      Type: LAN, Address: 10.22.22.2, Mask: 255.255.255.252, MTU: 1500, Cost: 1
      DR addr: 10.22.22.1, BDR addr: 10.22.22.2, Priority: 128
      Adj count: 1
      Hello: 10, Dead: 40, ReXmit: 5, Not Stub
      Auth type: MD5, Active key ID: 1, Start time: 1970 Jan  1 01:00:00 CET
      Protection type: None
      Topology default (ID 0) -> Cost: 1
    st0.0               PtToPt  0.0.0.0         0.0.0.0         0.0.0.0            4
      Type: P2MP, Address: 10.22.22.161, Mask: 255.255.255.224, MTU: 9192, Cost: 1
      Adj count: 4
      Hello: 10, Dead: 40, ReXmit: 5, Not Stub
      Auth type: MD5, Active key ID: 1, Start time: 1970 Jan  1 01:00:00 CET
      Protection type: None
      Topology default (ID 0) -> Cost: 1

     

    I'll post the output from the SRX210 tomorrow when I have access to it.



  • 4.  RE: OSPF packet ignored: netmask 0.0.0.0 mismatch

     
    Posted 09-15-2014 10:31

    Hi

     

    Since the st0 interface is of P2MP type, looks like you would need to explicitly configure the neighbor under "ospf", which isn't configured at this time.

     

    st0.0               PtToPt  0.0.0.0         0.0.0.0         0.0.0.0            4
      Type: P2MP, Address: 10.22.22.161, Mask: 255.255.255.224, MTU: 9192, Cost: 1
    protocols {
        ospf {
            area 0.0.0.0 {
                interface lo0.0 {
                    passive;
                }
                interface st0.0 {
                    authentication {
    #                    md5 1 key <removed> SECRET-DATA */;
                    }
                }
            }
        }
    }

     

    http://www.juniper.net/techpubs/en_US/junos11.4/topics/topic-map/ospf-configuring-interfaces.html#jd0e765

     

    Can you please try and see if that helps.

     

    Regards

    Surya



  • 5.  RE: OSPF packet ignored: netmask 0.0.0.0 mismatch

    Posted 09-15-2014 10:28

    Hm, by the way I noticed something odd. I have access to one of the 5 SRX210's that are still working (we haven't rebooted the remaining 5 working yet). I took a look at the "show ospf interface detail" command on one them, and the output is:

     

    > show ospf interface detail
    Interface           State   Area            DR ID           BDR ID          Nbrs
    lo0.0               DRother 0.0.0.0         0.0.0.0         0.0.0.0            0
      Type: LAN, Address: 192.168.22.105, Mask: 255.255.255.255, MTU: 65535, Cost: 0
      Adj count: 0, Passive
      Hello: 10, Dead: 40, ReXmit: 5, Not Stub
      Auth type: None
      Protection type: None
      Topology default (ID 0) -> Passive, Cost: 0
    st0.0               PtToPt  0.0.0.0         0.0.0.0         0.0.0.0            1
      Type: P2P, Address: 0.0.0.0, Mask: 0.0.0.0, MTU: 9192, Cost: 1
      Adj count: 1
      Hello: 10, Dead: 40, ReXmit: 5, Not Stub
      Auth type: MD5, Active key ID: 1, Start time: 1970 Jan  1 01:00:00 CET
      Protection type: None
      Topology default (ID 0) -> Cost: 1
    st0.0               PtToPt  0.0.0.0         0.0.0.0         0.0.0.0            0
      Type: P2P, Address: 10.22.22.163, Mask: 255.255.255.224, MTU: 9192, Cost: 1
      Adj count: 0, Passive
      Hello: 10, Dead: 40, ReXmit: 5, Not Stub
      Auth type: MD5, Active key ID: 1, Start time: 1970 Jan  1 01:00:00 CET
      Protection type: None
      Topology default (ID 0) -> Passive, Cost: 1

     Why does it have two st0.0 interfaces in the output? Could this perhaps be related? The configuration is pretty much the same on all the SRX210s.

     

    Just thought I'd mention it. I'll get the output from one of the non-working SRX210's tomorrow.



  • 6.  RE: OSPF packet ignored: netmask 0.0.0.0 mismatch

     
    Posted 09-15-2014 10:35

    Hi,

     

    That's is a good observation. I see you have configured multipoint on SRX1400

     

        st0 {
            unit 0 {
                multipoint;
                family inet {
                    address 10.22.22.161/27;
                }
            }
        }

     

     

    And on SRX 210, you haven't

     

        st0 {
            unit 0 {
                family inet {
                    address 10.22.22.165/27;
                }
            }
        }

     

    Since you have access to SRC1400, can you delete multipoint keyword from st0 interface and see if that helps?

     

    Regards

    Surya



  • 7.  RE: OSPF packet ignored: netmask 0.0.0.0 mismatch

    Posted 09-15-2014 11:33

    Hm, I added all the neighbors to the OSPF st0.0 interface configuration on the SRX1400 like this:

     

    > show configuration protocols ospf
    area 0.0.0.0 {
        interface lo0.0 {
            passive;
        }
        interface reth1.0 {
            authentication {
                md5 1 key ## SECRET-DATA
            }
        }
        interface st0.0 {
            authentication {
                md5 1 key ## SECRET-DATA
            }
            neighbor 10.22.22.162;
            neighbor 10.22.22.163;
            neighbor 10.22.22.164;
            neighbor 10.22.22.165;
            neighbor 10.22.22.166;
            neighbor 10.22.22.167;
            neighbor 10.22.22.168;
        }
    }

     And everything immediately returned to normal. I can access both non-working SRX210 again, and the remaining 5 is still working fine, just like before.

     

    So, right now everything seems to be working. Can't say I understand it. I'll keep my eyes on this for a few days just in case... 🙂



  • 8.  RE: OSPF packet ignored: netmask 0.0.0.0 mismatch

     
    Posted 09-15-2014 11:39

    Insstead of adding all nieghbors under ospf of st0.0, I would recommend to remove "multipoint" from st0 interface of SRX1400 so that it is inline with all other nodes. Just a suggestion.



  • 9.  RE: OSPF packet ignored: netmask 0.0.0.0 mismatch

     
    Posted 09-16-2014 14:17

    Hi,

     

    Just wanted to check how it is going with the last modification that were done on SRX1400?

    Also did you had a chance to test the same by removing "multipoint" knob under st0 interface of SRX1400?

     

    Regards

    Surya



  • 10.  RE: OSPF packet ignored: netmask 0.0.0.0 mismatch
    Best Answer

    Posted 10-01-2014 23:40

    Hi,

     

    I thought I'd post a short follow-up on this issue. Turns out that adding all the neighbours didn't really work. Upon reboot, several of the SRX210's hade problems with OSPF getting stuck in INIT state.

     

    In the end we ditched the multipoint configuration and instead set up individual st0.x interfaces for everything. Has been working great for two weeks now.