Hi,
I'm running OSPF over IPSEC VPN between a few sites. This is a multipoint VPN with 1 SRX1400 (HA cluster) and 7 SRX210. Everything is running 12.1X44-D35.5. I configured everything a few weeks ago and it has been running great until a few days ago. One of the branch SRX's was rebooted, the VPN came up, but OSPF didn't work.
So I started to look at the log on the SRX1400 and found the following after enabling traceoptions for OSPF:
Sep 15 11:48:49.758419 OSPF rcvd Hello 10.22.22.165 -> 224.0.0.5 (st0.0 IFL 83 area 0.0.0.0)
Sep 15 11:48:49.758454 Version 2, length 44, ID 192.168.22.107, area 0.0.0.0
Sep 15 11:48:49.758484 checksum 0x0, authtype 2
Sep 15 11:48:49.758516 mask 0.0.0.0, hello_ivl 10, opts 0x12, prio 128
Sep 15 11:48:49.758546 dead_ivl 40, DR 0.0.0.0, BDR 0.0.0.0
Sep 15 11:48:49.758583 OSPF restart signaling: Received hello with LLS data from nbr ip=10.22.22.165 id=192.168.22.107.
Sep 15 11:48:49.758617 OSPF packet ignored: netmask 0.0.0.0 mismatch from 10.22.22.165 on intf st0.0 area 0.0.0.0
Um, netmask mismatch. Odd. I checked the configuration on the SRX210 and compared it to the configuration on the SRX1400, but the netmasks do match.
The SRX210 (10.22.22.165) is apparently sending Hello's but the SRX1400 (10.22.22.161) ignores them and the OSPF adjacency is never formed.
So we tried to reboot a different SRX210, and boom, same issue. 😞
I found the following Juniper KB article, but it won't help me much: http://kb.juniper.net/InfoCenter/index?page=content&id=KB23533&actp=RSS
I've included the relevant configuration from the SRX1400 and the SRX210 below for reference. Can anyone see what we've done wrong?
SRX1400
version 12.1X44-D35.5;
system {
host-name SRX1400;
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
chassis {
cluster {
control-link-recovery;
reth-count 3;
redundancy-group 0 {
node 0 priority 254;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 254;
node 1 priority 1;
interface-monitor {
ge-0/0/6 weight 255;
ge-4/0/6 weight 255;
xe-0/0/7 weight 255;
xe-4/0/7 weight 255;
ge-2/0/0 weight 255;
ge-6/0/0 weight 255;
}
}
}
}
interfaces {
ge-0/0/6 {
gigether-options {
redundant-parent reth1;
}
}
xe-0/0/7 {
gigether-options {
redundant-parent reth2;
}
}
ge-2/0/0 {
gigether-options {
redundant-parent reth0;
}
}
ge-4/0/6 {
gigether-options {
redundant-parent reth1;
}
}
xe-4/0/7 {
gigether-options {
redundant-parent reth2;
}
}
ge-6/0/0 {
gigether-options {
redundant-parent reth0;
}
}
fab0 {
fabric-options {
member-interfaces {
ge-0/0/0;
ge-0/0/1;
}
}
}
fab1 {
fabric-options {
member-interfaces {
ge-4/0/0;
ge-4/0/1;
}
}
}
lo0 {
unit 0 {
family inet {
address 192.168.22.240/32;
}
}
}
reth0 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address EXTERNAL-IP/26
}
}
}
reth1 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 10.22.22.2/30;
}
}
}
reth2 {
redundant-ether-options {
redundancy-group 1;
}
}
st0 {
unit 0 {
multipoint;
family inet {
address 10.22.22.161/27;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop EXTERNAL-ROUTER;
}
router-id 192.168.22.240;
}
protocols {
ospf {
traceoptions {
file ospf-log size 5m;
flag all;
}
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface reth1.0 {
authentication {
# md5 1 key <removed> SECRET-DATA */;
}
}
interface st0.0 {
authentication {
# md5 1 key <removed> SECRET-DATA */;
}
}
}
}
}
security {
ike {
proposal Remote-Office-PSK {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;
}
policy Remote-Office-Static {
mode main;
proposals Remote-Office-PSK;
# pre-shared-key ascii-text <removed> SECRET-DATA */;
}
gateway XXXXX {
ike-policy Remote-Office-Static;
address REMOVED;
dead-peer-detection {
interval 10;
threshold 3;
}
external-interface reth0.0;
}
}
ipsec {
proposal Remote-Offices {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy Remote-Offices {
proposals Remote-Offices;
}
vpn XXXXX {
bind-interface st0.0;
ike {
gateway XXXXX;
proxy-identity {
local 0.0.0.0/0;
remote 0.0.0.0/0;
service any;
}
ipsec-policy Remote-Offices;
}
establish-tunnels immediately;
}
}
zones {
security-zone trusted {
interfaces {
reth1.0 {
host-inbound-traffic {
system-services {
ssh;
ping;
traceroute;
}
protocols {
ospf;
}
}
}
}
}
security-zone internet {
interfaces {
reth0.0 {
host-inbound-traffic {
system-services {
ping;
traceroute;
ike;
}
}
}
}
}
security-zone vpn {
interfaces {
st0.0 {
host-inbound-traffic {
system-services {
ping;
traceroute;
ssh;
ike;
snmp;
}
protocols {
ospf;
}
}
}
}
}
}
}
SRX210
version 12.1X44-D35.5;
system {
host-name SRX210;
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address EXTERNAL-IP/30;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.22.107.1/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 192.168.22.107/32;
}
}
}
st0 {
unit 0 {
family inet {
address 10.22.22.165/27;
}
}
}
}
routing-options {
router-id 192.168.22.107;
}
protocols {
ospf {
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface st0.0 {
authentication {
# md5 1 key <removed> SECRET-DATA */;
}
}
}
}
}
security {
ike {
proposal Remote-Office-PSK {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;
}
policy Remote-Office-Static {
mode main;
proposals Remote-Office-PSK;
# pre-shared-key ascii-text <removed> SECRET-DATA */;
}
gateway DCFW {
ike-policy Remote-Office-Static;
address REMOVED;
dead-peer-detection {
interval 10;
threshold 3;
}
external-interface ge-0/0/0.0;
}
}
ipsec {
proposal Remote-Offices {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy Remote-Offices {
proposals Remote-Offices;
}
vpn DC {
bind-interface st0.0;
ike {
gateway DCFW;
proxy-identity {
local 0.0.0.0/0;
remote 0.0.0.0/0;
service any;
}
ipsec-policy Remote-Offices;
}
}
}
zones {
security-zone ext {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
traceroute;
ike;
}
}
}
}
}
security-zone vpn {
interfaces {
st0.0 {
host-inbound-traffic {
system-services {
ping;
traceroute;
ssh;
ike;
snmp;
}
protocols {
ospf;
}
}
}
}
}
security-zone int {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/1.0;
}
}
}
}