Junos OS

Recently upgraded Junos to version 18.2R2-S3.4 on a virtual chassis of (4) EX4300 switches.  After the upgrade was complete and the switches rebooted, the OSPF neighbor that is connected to a router at another location will not connect.  The state goes from init to exstart.  I checked the MTU size and it is correct.  When I remove the firewall protection from lo0 the link connects.  I can reapply the firewall back to lo0 and the link will stay connected sometimes and sometimes it won't.  I didn't have this issue on the previous version (17. something I can't remember).  Below is the configuration for the firewall:

 

set interfaces lo0 unit 0 family inet filter input protect-RE

set firewall family inet filter protect-RE term icmp-addresses from source-prefix-list icmp-addresses
set firewall family inet filter protect-RE term icmp-addresses from protocol icmp
set firewall family inet filter protect-RE term icmp-addresses from icmp-type echo-request
set firewall family inet filter protect-RE term icmp-addresses from icmp-type echo-reply
set firewall family inet filter protect-RE term icmp-addresses from icmp-type unreachable
set firewall family inet filter protect-RE term icmp-addresses from icmp-type time-exceeded
set firewall family inet filter protect-RE term icmp-addresses then policer small-bw-policer
set firewall family inet filter protect-RE term icmp-addresses then syslog
set firewall family inet filter protect-RE term icmp-addresses then accept
set firewall family inet filter protect-RE term icmp from protocol icmp
set firewall family inet filter protect-RE term icmp from icmp-type echo-request
set firewall family inet filter protect-RE term icmp from icmp-type echo-reply
set firewall family inet filter protect-RE term icmp from icmp-type unreachable
set firewall family inet filter protect-RE term icmp from icmp-type time-exceeded
set firewall family inet filter protect-RE term icmp then policer small-bw-policer
set firewall family inet filter protect-RE term icmp then syslog
set firewall family inet filter protect-RE term icmp then accept
set firewall family inet filter protect-RE term tcp-initial-from-prefixes from protocol tcp
set firewall family inet filter protect-RE term tcp-initial-from-prefixes from tcp-initial
set firewall family inet filter protect-RE term tcp-initial-from-prefixes then policer tcp-policer
set firewall family inet filter protect-RE term tcp-initial-from-prefixes then syslog
set firewall family inet filter protect-RE term tcp-initial-from-prefixes then accept
set firewall family inet filter protect-RE term tcp-fin-or-rst-from-prefixes from protocol tcp
set firewall family inet filter protect-RE term tcp-fin-or-rst-from-prefixes from tcp-flags "fin|rst"
set firewall family inet filter protect-RE term tcp-fin-or-rst-from-prefixes then policer tcp-policer
set firewall family inet filter protect-RE term tcp-fin-or-rst-from-prefixes then syslog
set firewall family inet filter protect-RE term tcp-fin-or-rst-from-prefixes then accept
set firewall family inet filter protect-RE term ssh-addresses from source-prefix-list ssh-addresses
set firewall family inet filter protect-RE term ssh-addresses from protocol tcp
set firewall family inet filter protect-RE term ssh-addresses from destination-port ssh
set firewall family inet filter protect-RE term ssh-addresses then policer ssh-policer
set firewall family inet filter protect-RE term ssh-addresses then log
set firewall family inet filter protect-RE term ssh-addresses then syslog
set firewall family inet filter protect-RE term ssh-addresses then loss-priority low
set firewall family inet filter protect-RE term ssh-addresses then accept
set firewall family inet filter protect-RE term snmp-addresses from source-prefix-list snmp-addresses
set firewall family inet filter protect-RE term snmp-addresses from protocol udp
set firewall family inet filter protect-RE term snmp-addresses from destination-port snmp
set firewall family inet filter protect-RE term snmp-addresses then policer snmp-policer
set firewall family inet filter protect-RE term snmp-addresses then syslog
set firewall family inet filter protect-RE term snmp-addresses then accept
set firewall family inet filter protect-RE term ntp-addresses from source-prefix-list ntp-addresses
set firewall family inet filter protect-RE term ntp-addresses from protocol udp
set firewall family inet filter protect-RE term ntp-addresses from destination-port ntp
set firewall family inet filter protect-RE term ntp-addresses then policer ntp-policer
set firewall family inet filter protect-RE term ntp-addresses then syslog
set firewall family inet filter protect-RE term ntp-addresses then accept
set firewall family inet filter protect-RE term dns-addresses from protocol udp
set firewall family inet filter protect-RE term dns-addresses from protocol tcp
set firewall family inet filter protect-RE term dns-addresses from destination-port domain
set firewall family inet filter protect-RE term dns-addresses then policer dns-policer
set firewall family inet filter protect-RE term dns-addresses then syslog
set firewall family inet filter protect-RE term dns-addresses then accept
set firewall family inet filter protect-RE term tacplus-addresses from source-prefix-list tacplus-addresses
set firewall family inet filter protect-RE term tacplus-addresses from protocol tcp
set firewall family inet filter protect-RE term tacplus-addresses from source-port tacacs
set firewall family inet filter protect-RE term tacplus-addresses then policer tacplus-policer
set firewall family inet filter protect-RE term tacplus-addresses then syslog
set firewall family inet filter protect-RE term tacplus-addresses then accept
set firewall family inet filter protect-RE term traceroute from source-prefix-list TraceRoute-addresses
set firewall family inet filter protect-RE term traceroute from protocol udp
set firewall family inet filter protect-RE term traceroute from destination-port 33434-33523
set firewall family inet filter protect-RE term traceroute then policer small-bw-policer
set firewall family inet filter protect-RE term traceroute then syslog
set firewall family inet filter protect-RE term traceroute then accept
set firewall family inet filter protect-RE term return-tcp from source-port ssh
set firewall family inet filter protect-RE term return-tcp from tcp-established
set firewall family inet filter protect-RE term return-tcp then syslog
set firewall family inet filter protect-RE term return-tcp then accept
set firewall family inet filter protect-RE term Return_DNS from protocol udp
set firewall family inet filter protect-RE term Return_DNS from protocol tcp
set firewall family inet filter protect-RE term Return_DNS from source-port domain
set firewall family inet filter protect-RE term Return_DNS then syslog
set firewall family inet filter protect-RE term Return_DNS then accept
set firewall family inet filter protect-RE term tcp-syn-fin-limit from source-port snmptrap
set firewall family inet filter protect-RE term tcp-syn-fin-limit from source-port telnet
set firewall family inet filter protect-RE term tcp-syn-fin-limit from source-port ftp
set firewall family inet filter protect-RE term tcp-syn-fin-limit from source-port ftp-data
set firewall family inet filter protect-RE term tcp-syn-fin-limit from source-port ssh
set firewall family inet filter protect-RE term tcp-syn-fin-limit from tcp-flags "syn|fin"
set firewall family inet filter protect-RE term tcp-syn-fin-limit then policer TCP-SYN-Policer
set firewall family inet filter protect-RE term DHCP_Reply from source-prefix-list DHCP-servers
set firewall family inet filter protect-RE term DHCP_Reply from protocol udp
set firewall family inet filter protect-RE term DHCP_Reply from source-port dhcp
set firewall family inet filter protect-RE term DHCP_Reply then syslog
set firewall family inet filter protect-RE term DHCP_Reply then accept
set firewall family inet filter protect-RE term BFD from protocol udp
set firewall family inet filter protect-RE term BFD from destination-port 3784
set firewall family inet filter protect-RE term BFD then syslog
set firewall family inet filter protect-RE term BFD then accept
set firewall family inet filter protect-RE term radius-addresses from source-prefix-list radius-addresses
set firewall family inet filter protect-RE term radius-addresses from protocol udp
set firewall family inet filter protect-RE term radius-addresses from source-port radius
set firewall family inet filter protect-RE term radius-addresses from source-port radacct
set firewall family inet filter protect-RE term radius-addresses then policer radius-policer
set firewall family inet filter protect-RE term radius-addresses then syslog
set firewall family inet filter protect-RE term radius-addresses then accept
set firewall family inet filter protect-RE term Deny then log
set firewall family inet filter protect-RE term Deny then syslog
set firewall family inet filter protect-RE term Deny then discard

set firewall policer snmp-policer if-exceeding bandwidth-limit 1m
set firewall policer snmp-policer if-exceeding burst-size-limit 15k
set firewall policer snmp-policer then discard
set firewall policer ntp-policer if-exceeding bandwidth-limit 1m
set firewall policer ntp-policer if-exceeding burst-size-limit 15k
set firewall policer ntp-policer then discard
set firewall policer dns-policer if-exceeding bandwidth-limit 1m
set firewall policer dns-policer if-exceeding burst-size-limit 15k
set firewall policer dns-policer then discard
set firewall policer radius-policer if-exceeding bandwidth-limit 1m
set firewall policer radius-policer if-exceeding burst-size-limit 15k
set firewall policer radius-policer then discard
set firewall policer tacplus-policer if-exceeding bandwidth-limit 1m
set firewall policer tacplus-policer if-exceeding burst-size-limit 15k
set firewall policer tacplus-policer then discard
set firewall policer tcp-policer if-exceeding bandwidth-limit 500k
set firewall policer tcp-policer if-exceeding burst-size-limit 15k
set firewall policer tcp-policer then discard
set firewall policer small-bw-policer if-exceeding bandwidth-limit 1m
set firewall policer small-bw-policer if-exceeding burst-size-limit 15k
set firewall policer small-bw-policer then discard
set firewall policer ssh-policer if-exceeding bandwidth-limit 1m
set firewall policer ssh-policer if-exceeding burst-size-limit 15k
set firewall policer ssh-policer then discard
set firewall policer OSPF-policer if-exceeding bandwidth-limit 1m
set firewall policer OSPF-policer if-exceeding burst-size-limit 15k
set firewall policer OSPF-policer then discard
set firewall policer vrrp-policer if-exceeding bandwidth-limit 1m
set firewall policer vrrp-policer if-exceeding burst-size-limit 15k
set firewall policer vrrp-policer then discard
set firewall policer TCP-SYN-Policer if-exceeding bandwidth-limit 500k
set firewall policer TCP-SYN-Policer if-exceeding burst-size-limit 15k
set firewall policer TCP-SYN-Policer then discard

 

This is some information from the log file:

Jun 5 21:30:00 XTQF-CN-500-37-A01 rpd[1733]: RPD_OSPF_NBRUP: OSPF neighbor XXX.XXX.110.50 (realm ospf-v2 irb.728 area 0.0.0.0) state changed from Init to ExStart due to 2WayRcvd (event reason: neighbor detected this router)
Jun 5 21:31:48 XTQF-CN-500-37-A01 fpc0 PFE_FW_SYSLOG_ETH_IP: FW: ae0.0 D 02d8:0800 54:75:d0:a6:63:80 -> c0:42:d0:44:f0:e1 ospf XXX.XXX.110.50 XXX.XXX.110.49 0 0 (22 packets)
Jun 5 21:32:04 XTQF-CN-500-37-A01 rpd[1733]: RPD_OSPF_NBRDOWN: OSPF neighbor XXX.XXX.110.50 (realm ospf-v2 irb.728 area 0.0.0.0) state changed from ExStart to Init due to 1WayRcvd (event reason: neighbor is in one-way mode)
Jun 5 21:33:10 XTQF-CN-500-37-A01 rpd[1733]: RPD_OSPF_NBRUP: OSPF neighbor XXX.XXX.110.50 (realm ospf-v2 irb.728 area 0.0.0.0) state changed from Init to ExStart due to 2WayRcvd (event reason: neighbor detected this router)
Jun 5 21:33:26 XTQF-CN-500-37-A01 fpc0 PFE_FW_SYSLOG_ETH_IP: FW: ae0.0 D 02d8:0800 54:75:d0:a6:63:80 -> c0:42:d0:44:f0:e1 ospf XXX.XXX.110.50 XXX.XXX.110.49 0 0 (6 packets)
Jun 5 21:34:11 XTQF-CN-500-37-A01 fpc0 PFE_FW_SYSLOG_ETH_IP: FW: ae0.0 D 02d8:0800 54:75:d0:a6:63:80 -> c0:42:d0:44:f0:e1 ospf XXX.XXX.110.50 XXX.XXX.110.49 0 0 (1 packets)
Jun 5 21:34:22 XTQF-CN-500-37-A01 fpc0 PFE_FW_SYSLOG_ETH_IP: FW: ae0.0 D 02d8:0800 54:75:d0:a6:63:80 -> c0:42:d0:44:f0:e1 ospf XXX.XXX.110.50 XXX.XXX.110.49 0 0 (12 packets)
Jun 5 21:35:03 XTQF-CN-500-37-A01 fpc0 PFE_FW_SYSLOG_ETH_IP: FW: ae0.0 D 02d8:0800 54:75:d0:a6:63:80 -> c0:42:d0:44:f0:e1 ospf XXX.XXX.110.50 XXX.XXX.110.49 0 0 (9 packets)
Jun 5 21:35:14 XTQF-CN-500-37-A01 rpd[1733]: RPD_OSPF_NBRDOWN: OSPF neighbor XXX.XXX.110.50 (realm ospf-v2 irb.728 area 0.0.0.0) state changed from ExStart to Init due to 1WayRcvd (event reason: neighbor is in one-way mode)
Jun 5 21:35:22 XTQF-CN-500-37-A01 rpd[1733]: RPD_OSPF_NBRDOWN: OSPF neighbor XXX.XXX.80.102 (realm ospf-v2 irb.617 area 0.0.0.0) state changed from Full to Init due to 1WayRcvd (event reason: neighbor is in one-way mode)
Jun 5 21:35:22 XTQF-CN-500-37-A01 rpd[1733]: RPD_OSPF_NBRUP: OSPF neighbor XXX.XXX.80.102 (realm ospf-v2 irb.617 area 0.0.0.0) state changed from Init to ExStart due to 2WayRcvd (event reason: neighbor detected this router)
Jun 5 21:35:22 XTQF-CN-500-37-A01 rpd[1733]: RPD_OSPF_NBRUP: OSPF neighbor XXX.XXX.80.102 (realm ospf-v2 irb.617 area 0.0.0.0) state changed from Loading to Full due to LoadDone (event reason: OSPF loading completed)
Jun 5 21:36:15 XTQF-CN-500-37-A01 rpd[1733]: RPD_OSPF_NBRUP: OSPF neighbor XXX.XXX.110.50 (realm ospf-v2 irb.728 area 0.0.0.0) state changed from Init to ExStart due to 2WayRcvd (event reason: neighbor detected this router)
Jun 5 21:36:15 XTQF-CN-500-37-A01 rpd[1733]: RPD_OSPF_NBRUP: OSPF neighbor XXX.XXX.110.50 (realm ospf-v2 irb.728 area 0.0.0.0) state changed from Exchange to Full due to ExchangeDone (event reason: DBD exchange of slave completed)

 

Look forward to any help. 

Good Day,

 

Could you please try to add the entries to accept OSPF packets from a particular prefix, according to link below?

https://www.juniper.net/documentation/en_US/junos/topics/example/firewall-filter-stateless-example-trusted-source-accept-ospf-packets-destination.html

As a test can you try removing the below policer entry in your firewall and check if ospf is stable

 

set firewall policer OSPF-policer if-exceeding bandwidth-limit 1m
set firewall policer OSPF-policer if-exceeding burst-size-limit 15k
set firewall policer OSPF-policer then discard

 

If so, you can try increasing the rate to 100m just to test if accomodates the ospf packets. I am not sure if any changes were incurred in this area between the junos version involved. 

Good Day,

 

Seems policer OSPF-policer is only delcared and not applied.

Removing it from config would not change anything.

As per the syslog, ospf packets are discarded by the firewall filter (see 'D' Flag in log). I do not see ospf is allowed in firewall filter. Please allow ospf traffic in filter before the "Deny" term.

 

Jun 5 21:33:26 XTQF-CN-500-37-A01 fpc0 PFE_FW_SYSLOG_ETH_IP: FW: ae0.0 D 02d8:0800 54:75:d0:a6:63:80 -> c0:42:d0:44:f0:e1 ospf XXX.XXX.110.50 XXX.XXX.110.49 0 0 (6 packets)
Jun 5 21:34:11 XTQF-CN-500-37-A01 fpc0 PFE_FW_SYSLOG_ETH_IP: FW: ae0.0 D 02d8:0800 54:75:d0:a6:63:80 -> c0:42:d0:44:f0:e1 ospf XXX.XXX.110.50 XXX.XXX.110.49 0 0 (1 packets)
Jun 5 21:34:22 XTQF-CN-500-37-A01 fpc0 PFE_FW_SYSLOG_ETH_IP: FW: ae0.0 D 02d8:0800 54:75:d0:a6:63:80 -> c0:42:d0:44:f0:e1 ospf XXX.XXX.110.50 XXX.XXX.110.49 0 0 (12 packets)
Jun 5 21:35:03 XTQF-CN-500-37-A01 fpc0 PFE_FW_SYSLOG_ETH_IP: FW: ae0.0 D 02d8:0800 54:75:d0:a6:63:80 -> c0:42:d0:44:f0:e1 ospf XXX.XXX.110.50 XXX.XXX.110.49 0 0 (9 packets)

 

Yes, as I mentioned above, please allow OSPF packets in a firewall filter and it will work well.

Thanks for the advice. I thought maybe I needed to add something. I tried to add the information below to my existing rule but it still seems to block the traffic. The IP address in the rule is the far end device. set firewall family inet filter protect-re term allow-ospf from source-address XXX.XXX.110.50 set firewall family inet filter protect-re term allow-ospf from protocol ospf set firewall family inet filter protect-re term allow-ospf then policer OSPF-policer set firewall family inet filter protect-re term allow-ospf then log set firewall family inet filter protect-re term allow-ospf then syslog set firewall family inet filter protect-re term allow-ospf then accept Do I need to add a destination address or interface (ae0)?

When you add new term "allow-ospf" it will be added after the "Deny" term which denies all packets. So you have to move "allow-ospf" term before "Deny" term using 'insert' command like below:

insert firewall family inet filter protect-re term allow-ospf before term Deny
show | compare
commit

PS: There is no need to add destination address.

 

 

 

I got it to work.  Typo on my end protect-re needed to be protect-RE.  Thanks for the help.

Great to hear it's working now!

Please be sure the new term "allow-ospf" is above the term "Deny" in the configuration.

You could also delete "from source-address XXX.XXX.110.50" and "then policer OSPF-policer" for testing purposes to see if it works well when just accept traffic "from protocol ospf" and "then accept".

We can keep log and syslog. We do not need destination address or interface.