ScreenOS Firewalls (NOT SRX)
Reply
Contributor
Bilal
Posts: 20
Registered: ‎05-08-2008
0

Issues when connecting ISG-2000 with two OSPF uplinks to two routers

Situation: ISG-2000 HA A/S pair is connected to Cisco 7609 pair. Each FW has two uplinks, one to each router. Each uplink interface is part of one point-to-point OSPF. FW redistributes its connected subnets in OSPF so each router receives routes via its point-to-point OSPF network. Routers run BGP and redistribute routes in OSPF so FW receives the same routes from two different router-id's.

 

Issue 1: "Sometimes" we see during flow debugging that router 1 advertises FW connected subnets so FW receives packets from router 1 but as it learns the remote subnets through router 2 the reply packet cannot go out the same interface it came in and is therefore dropped even when policies are setup for both zones/interfaces. What is the best way to have active/backup uplinks in a way that FW receives/sends packets from/to the same router.

 

Issue 2: We turned off SVI on router 1 to remove it as OSPF neighbor of the FW to allow only single uplink to the FW. This fixed the issue 1 above and all TCP applications started working. However, all GTP/UDP traffic stopped working i.e. existing GTP tunnels were not switched to the other OSPF uplink plus new GTP tunnels also did not established through the other OSPF uplink. Why?

 

Issue 3: "clear session all" fixed the issue 2 above. But when remote tunnel endpoints were "not connected" subnets of FW and only learned through OSPF why were the tunnels not switched to second OSPF uplink? How to prevent this "GTP hang" in case one uplink goes down due to some network problem?

Regards

Bilal

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 790
Registered: ‎07-26-2008
0

Re: Issues when connecting ISG-2000 with two OSPF uplinks to two routers

Hmm, it looks like the session was not updated with the new routes after the fail over.

Could you check the session with :

(1) get sess dst-ip X.X.X.X and take a look at the routes shown in the session

(2) after the routes fail run the same cmd again and check the routes to see if the session has updated the new routes to be used.

 

I think once we are clear on this point we should be able to move forward.

 

Thanks.

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Contributor
Bilal
Posts: 20
Registered: ‎05-08-2008
0

Re: Issues when connecting ISG-2000 with two OSPF uplinks to two routers

I have asked for logs. I don't have direct access. Let me ask this though. Can I increase the cost of one of the two interfaces that is running point-to-point OSPF network so that ISG always installs the routes learned from the other interface into its routing table?

 

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 790
Registered: ‎07-26-2008
0

Re: Issues when connecting ISG-2000 with two OSPF uplinks to two routers

Hmm, you can but I think we can check the routing table now to see if the routes are correct.

The issue is I guess that the tunnel sessions are not updating the session though.

In that case, even if the routes were installed correctly you will still have a problem, so we need to confirm which it is.

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Contributor
Bilal
Posts: 20
Registered: ‎05-08-2008
0

Re: Issues when connecting ISG-2000 with two OSPF uplinks to two routers

Tunnel means GTP tunnel not VPN tunnel.
Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 790
Registered: ‎07-26-2008
0

Re: Issues when connecting ISG-2000 with two OSPF uplinks to two routers

It will be the same whether its a tunnel session or clear text session. The session will be the one carrying the traffic. If the session did not update with the new routes, then thats where the problem is likely to be.
****pls click the button " Accept as Solution" if my post helped to solve your problem****
Contributor
Bilal
Posts: 20
Registered: ‎05-08-2008
0

Re: Issues when connecting ISG-2000 with two OSPF uplinks to two routers

Out of two equal-cost interfaces running OSPF if one gets high cost will it become secondary uplink for outbound packets?

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 790
Registered: ‎07-26-2008
0

Re: Issues when connecting ISG-2000 with two OSPF uplinks to two routers

Yes, that is going to work fine.

 

I just did a quick test to check. You won't see the route with the higher cost in the routing table. But if that link goes down, the FW should fail to the other route which was advertised.:

Before fail:


         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*        18        X.0.0.0/24         eth0/2     172.0.100.1  E1   60      2     Root

After the route failed.

 

         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*        15        X.0.0.0/24         eth0/0    172.19.51.70  E1   60     11     Root

 

 

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Contributor
Bilal
Posts: 20
Registered: ‎05-08-2008
0

Re: Issues when connecting ISG-2000 with two OSPF uplinks to two routers

As two OSPF p-t-p uplinks go to two routers, the router connected to low-cost FW interface should also set unequal route metric when it redistributes OSPF routes from FW into BGP. We want to bring the packets in the FW also on the low-cost FW interface. This will ensure session will not break in normal conditions. Right?

 

After this comes abnormal situation i.e. when interface or node failover happens and new routing table is constructed and session does not get updated.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.