Recently upgraded Junos to version 18.2R2-S3.4 on a virtual chassis of (4) EX4300 switches. After the upgrade was complete and the switches rebooted, the OSPF neighbor that is connected to a router at another location will not connect. The state goes from init to exstart. I checked the MTU size and it is correct. When I remove the firewall protection from lo0 the link connects. I can reapply the firewall back to lo0 and the link will stay connected sometimes and sometimes it won't. I didn't have this issue on the previous version (17. something I can't remember). Below is the configuration for the firewall:
set interfaces lo0 unit 0 family inet filter input protect-RE
set firewall family inet filter protect-RE term icmp-addresses from source-prefix-list icmp-addresses
set firewall family inet filter protect-RE term icmp-addresses from protocol icmp
set firewall family inet filter protect-RE term icmp-addresses from icmp-type echo-request
set firewall family inet filter protect-RE term icmp-addresses from icmp-type echo-reply
set firewall family inet filter protect-RE term icmp-addresses from icmp-type unreachable
set firewall family inet filter protect-RE term icmp-addresses from icmp-type time-exceeded
set firewall family inet filter protect-RE term icmp-addresses then policer small-bw-policer
set firewall family inet filter protect-RE term icmp-addresses then syslog
set firewall family inet filter protect-RE term icmp-addresses then accept
set firewall family inet filter protect-RE term icmp from protocol icmp
set firewall family inet filter protect-RE term icmp from icmp-type echo-request
set firewall family inet filter protect-RE term icmp from icmp-type echo-reply
set firewall family inet filter protect-RE term icmp from icmp-type unreachable
set firewall family inet filter protect-RE term icmp from icmp-type time-exceeded
set firewall family inet filter protect-RE term icmp then policer small-bw-policer
set firewall family inet filter protect-RE term icmp then syslog
set firewall family inet filter protect-RE term icmp then accept
set firewall family inet filter protect-RE term tcp-initial-from-prefixes from protocol tcp
set firewall family inet filter protect-RE term tcp-initial-from-prefixes from tcp-initial
set firewall family inet filter protect-RE term tcp-initial-from-prefixes then policer tcp-policer
set firewall family inet filter protect-RE term tcp-initial-from-prefixes then syslog
set firewall family inet filter protect-RE term tcp-initial-from-prefixes then accept
set firewall family inet filter protect-RE term tcp-fin-or-rst-from-prefixes from protocol tcp
set firewall family inet filter protect-RE term tcp-fin-or-rst-from-prefixes from tcp-flags "fin|rst"
set firewall family inet filter protect-RE term tcp-fin-or-rst-from-prefixes then policer tcp-policer
set firewall family inet filter protect-RE term tcp-fin-or-rst-from-prefixes then syslog
set firewall family inet filter protect-RE term tcp-fin-or-rst-from-prefixes then accept
set firewall family inet filter protect-RE term ssh-addresses from source-prefix-list ssh-addresses
set firewall family inet filter protect-RE term ssh-addresses from protocol tcp
set firewall family inet filter protect-RE term ssh-addresses from destination-port ssh
set firewall family inet filter protect-RE term ssh-addresses then policer ssh-policer
set firewall family inet filter protect-RE term ssh-addresses then log
set firewall family inet filter protect-RE term ssh-addresses then syslog
set firewall family inet filter protect-RE term ssh-addresses then loss-priority low
set firewall family inet filter protect-RE term ssh-addresses then accept
set firewall family inet filter protect-RE term snmp-addresses from source-prefix-list snmp-addresses
set firewall family inet filter protect-RE term snmp-addresses from protocol udp
set firewall family inet filter protect-RE term snmp-addresses from destination-port snmp
set firewall family inet filter protect-RE term snmp-addresses then policer snmp-policer
set firewall family inet filter protect-RE term snmp-addresses then syslog
set firewall family inet filter protect-RE term snmp-addresses then accept
set firewall family inet filter protect-RE term ntp-addresses from source-prefix-list ntp-addresses
set firewall family inet filter protect-RE term ntp-addresses from protocol udp
set firewall family inet filter protect-RE term ntp-addresses from destination-port ntp
set firewall family inet filter protect-RE term ntp-addresses then policer ntp-policer
set firewall family inet filter protect-RE term ntp-addresses then syslog
set firewall family inet filter protect-RE term ntp-addresses then accept
set firewall family inet filter protect-RE term dns-addresses from protocol udp
set firewall family inet filter protect-RE term dns-addresses from protocol tcp
set firewall family inet filter protect-RE term dns-addresses from destination-port domain
set firewall family inet filter protect-RE term dns-addresses then policer dns-policer
set firewall family inet filter protect-RE term dns-addresses then syslog
set firewall family inet filter protect-RE term dns-addresses then accept
set firewall family inet filter protect-RE term tacplus-addresses from source-prefix-list tacplus-addresses
set firewall family inet filter protect-RE term tacplus-addresses from protocol tcp
set firewall family inet filter protect-RE term tacplus-addresses from source-port tacacs
set firewall family inet filter protect-RE term tacplus-addresses then policer tacplus-policer
set firewall family inet filter protect-RE term tacplus-addresses then syslog
set firewall family inet filter protect-RE term tacplus-addresses then accept
set firewall family inet filter protect-RE term traceroute from source-prefix-list TraceRoute-addresses
set firewall family inet filter protect-RE term traceroute from protocol udp
set firewall family inet filter protect-RE term traceroute from destination-port 33434-33523
set firewall family inet filter protect-RE term traceroute then policer small-bw-policer
set firewall family inet filter protect-RE term traceroute then syslog
set firewall family inet filter protect-RE term traceroute then accept
set firewall family inet filter protect-RE term return-tcp from source-port ssh
set firewall family inet filter protect-RE term return-tcp from tcp-established
set firewall family inet filter protect-RE term return-tcp then syslog
set firewall family inet filter protect-RE term return-tcp then accept
set firewall family inet filter protect-RE term Return_DNS from protocol udp
set firewall family inet filter protect-RE term Return_DNS from protocol tcp
set firewall family inet filter protect-RE term Return_DNS from source-port domain
set firewall family inet filter protect-RE term Return_DNS then syslog
set firewall family inet filter protect-RE term Return_DNS then accept
set firewall family inet filter protect-RE term tcp-syn-fin-limit from source-port snmptrap
set firewall family inet filter protect-RE term tcp-syn-fin-limit from source-port telnet
set firewall family inet filter protect-RE term tcp-syn-fin-limit from source-port ftp
set firewall family inet filter protect-RE term tcp-syn-fin-limit from source-port ftp-data
set firewall family inet filter protect-RE term tcp-syn-fin-limit from source-port ssh
set firewall family inet filter protect-RE term tcp-syn-fin-limit from tcp-flags "syn|fin"
set firewall family inet filter protect-RE term tcp-syn-fin-limit then policer TCP-SYN-Policer
set firewall family inet filter protect-RE term DHCP_Reply from source-prefix-list DHCP-servers
set firewall family inet filter protect-RE term DHCP_Reply from protocol udp
set firewall family inet filter protect-RE term DHCP_Reply from source-port dhcp
set firewall family inet filter protect-RE term DHCP_Reply then syslog
set firewall family inet filter protect-RE term DHCP_Reply then accept
set firewall family inet filter protect-RE term BFD from protocol udp
set firewall family inet filter protect-RE term BFD from destination-port 3784
set firewall family inet filter protect-RE term BFD then syslog
set firewall family inet filter protect-RE term BFD then accept
set firewall family inet filter protect-RE term radius-addresses from source-prefix-list radius-addresses
set firewall family inet filter protect-RE term radius-addresses from protocol udp
set firewall family inet filter protect-RE term radius-addresses from source-port radius
set firewall family inet filter protect-RE term radius-addresses from source-port radacct
set firewall family inet filter protect-RE term radius-addresses then policer radius-policer
set firewall family inet filter protect-RE term radius-addresses then syslog
set firewall family inet filter protect-RE term radius-addresses then accept
set firewall family inet filter protect-RE term Deny then log
set firewall family inet filter protect-RE term Deny then syslog
set firewall family inet filter protect-RE term Deny then discard
set firewall policer snmp-policer if-exceeding bandwidth-limit 1m
set firewall policer snmp-policer if-exceeding burst-size-limit 15k
set firewall policer snmp-policer then discard
set firewall policer ntp-policer if-exceeding bandwidth-limit 1m
set firewall policer ntp-policer if-exceeding burst-size-limit 15k
set firewall policer ntp-policer then discard
set firewall policer dns-policer if-exceeding bandwidth-limit 1m
set firewall policer dns-policer if-exceeding burst-size-limit 15k
set firewall policer dns-policer then discard
set firewall policer radius-policer if-exceeding bandwidth-limit 1m
set firewall policer radius-policer if-exceeding burst-size-limit 15k
set firewall policer radius-policer then discard
set firewall policer tacplus-policer if-exceeding bandwidth-limit 1m
set firewall policer tacplus-policer if-exceeding burst-size-limit 15k
set firewall policer tacplus-policer then discard
set firewall policer tcp-policer if-exceeding bandwidth-limit 500k
set firewall policer tcp-policer if-exceeding burst-size-limit 15k
set firewall policer tcp-policer then discard
set firewall policer small-bw-policer if-exceeding bandwidth-limit 1m
set firewall policer small-bw-policer if-exceeding burst-size-limit 15k
set firewall policer small-bw-policer then discard
set firewall policer ssh-policer if-exceeding bandwidth-limit 1m
set firewall policer ssh-policer if-exceeding burst-size-limit 15k
set firewall policer ssh-policer then discard
set firewall policer OSPF-policer if-exceeding bandwidth-limit 1m
set firewall policer OSPF-policer if-exceeding burst-size-limit 15k
set firewall policer OSPF-policer then discard
set firewall policer vrrp-policer if-exceeding bandwidth-limit 1m
set firewall policer vrrp-policer if-exceeding burst-size-limit 15k
set firewall policer vrrp-policer then discard
set firewall policer TCP-SYN-Policer if-exceeding bandwidth-limit 500k
set firewall policer TCP-SYN-Policer if-exceeding burst-size-limit 15k
set firewall policer TCP-SYN-Policer then discard
This is some information from the log file:
Jun 5 21:30:00 XTQF-CN-500-37-A01 rpd[1733]: RPD_OSPF_NBRUP: OSPF neighbor XXX.XXX.110.50 (realm ospf-v2 irb.728 area 0.0.0.0) state changed from Init to ExStart due to 2WayRcvd (event reason: neighbor detected this router)
Jun 5 21:31:48 XTQF-CN-500-37-A01 fpc0 PFE_FW_SYSLOG_ETH_IP: FW: ae0.0 D 02d8:0800 54:75:d0:a6:63:80 -> c0:42:d0:44:f0:e1 ospf XXX.XXX.110.50 XXX.XXX.110.49 0 0 (22 packets)
Jun 5 21:32:04 XTQF-CN-500-37-A01 rpd[1733]: RPD_OSPF_NBRDOWN: OSPF neighbor XXX.XXX.110.50 (realm ospf-v2 irb.728 area 0.0.0.0) state changed from ExStart to Init due to 1WayRcvd (event reason: neighbor is in one-way mode)
Jun 5 21:33:10 XTQF-CN-500-37-A01 rpd[1733]: RPD_OSPF_NBRUP: OSPF neighbor XXX.XXX.110.50 (realm ospf-v2 irb.728 area 0.0.0.0) state changed from Init to ExStart due to 2WayRcvd (event reason: neighbor detected this router)
Jun 5 21:33:26 XTQF-CN-500-37-A01 fpc0 PFE_FW_SYSLOG_ETH_IP: FW: ae0.0 D 02d8:0800 54:75:d0:a6:63:80 -> c0:42:d0:44:f0:e1 ospf XXX.XXX.110.50 XXX.XXX.110.49 0 0 (6 packets)
Jun 5 21:34:11 XTQF-CN-500-37-A01 fpc0 PFE_FW_SYSLOG_ETH_IP: FW: ae0.0 D 02d8:0800 54:75:d0:a6:63:80 -> c0:42:d0:44:f0:e1 ospf XXX.XXX.110.50 XXX.XXX.110.49 0 0 (1 packets)
Jun 5 21:34:22 XTQF-CN-500-37-A01 fpc0 PFE_FW_SYSLOG_ETH_IP: FW: ae0.0 D 02d8:0800 54:75:d0:a6:63:80 -> c0:42:d0:44:f0:e1 ospf XXX.XXX.110.50 XXX.XXX.110.49 0 0 (12 packets)
Jun 5 21:35:03 XTQF-CN-500-37-A01 fpc0 PFE_FW_SYSLOG_ETH_IP: FW: ae0.0 D 02d8:0800 54:75:d0:a6:63:80 -> c0:42:d0:44:f0:e1 ospf XXX.XXX.110.50 XXX.XXX.110.49 0 0 (9 packets)
Jun 5 21:35:14 XTQF-CN-500-37-A01 rpd[1733]: RPD_OSPF_NBRDOWN: OSPF neighbor XXX.XXX.110.50 (realm ospf-v2 irb.728 area 0.0.0.0) state changed from ExStart to Init due to 1WayRcvd (event reason: neighbor is in one-way mode)
Jun 5 21:35:22 XTQF-CN-500-37-A01 rpd[1733]: RPD_OSPF_NBRDOWN: OSPF neighbor XXX.XXX.80.102 (realm ospf-v2 irb.617 area 0.0.0.0) state changed from Full to Init due to 1WayRcvd (event reason: neighbor is in one-way mode)
Jun 5 21:35:22 XTQF-CN-500-37-A01 rpd[1733]: RPD_OSPF_NBRUP: OSPF neighbor XXX.XXX.80.102 (realm ospf-v2 irb.617 area 0.0.0.0) state changed from Init to ExStart due to 2WayRcvd (event reason: neighbor detected this router)
Jun 5 21:35:22 XTQF-CN-500-37-A01 rpd[1733]: RPD_OSPF_NBRUP: OSPF neighbor XXX.XXX.80.102 (realm ospf-v2 irb.617 area 0.0.0.0) state changed from Loading to Full due to LoadDone (event reason: OSPF loading completed)
Jun 5 21:36:15 XTQF-CN-500-37-A01 rpd[1733]: RPD_OSPF_NBRUP: OSPF neighbor XXX.XXX.110.50 (realm ospf-v2 irb.728 area 0.0.0.0) state changed from Init to ExStart due to 2WayRcvd (event reason: neighbor detected this router)
Jun 5 21:36:15 XTQF-CN-500-37-A01 rpd[1733]: RPD_OSPF_NBRUP: OSPF neighbor XXX.XXX.110.50 (realm ospf-v2 irb.728 area 0.0.0.0) state changed from Exchange to Full due to ExchangeDone (event reason: DBD exchange of slave completed)
Look forward to any help.