SRX Services Gateway
Highlighted
SRX Services Gateway

Ospf between srx and mikrotik

‎09-17-2018 05:36 AM

Hello

 

Could use litle help with debugging a problem.

 

Long story short, i made working config using lab equipment at hand (srx 210 + mikrotik), everyting worked as expeted. But when i transferred same confix to srx 5400 then ospf started to give trouble. Ospf hello packets dont reach mikrotik.

 

Basic idea is:

ipsec + gre tunnel, pings are OK, but i think mtu is the problem.

 

Tests:

srx210  to mikrotik "ping x.x.x.x size 9148 do-not fragment" OK

mikrotik to srx210 "ping x.x.x.x size 1414 do-not fragment" OK 

 

Moving to srx 5400

srx210  to mikrotik "ping x.x.x.x size 1386 do-not fragment" OK (only 1386) - is that causing ospf hellos not to reach mikrotik

mikrotik to srx210 "ping x.x.x.x size 1414 do-not fragment" OK 

 

Egert

7 REPLIES 7
Highlighted
SRX Services Gateway

Re: Ospf between srx and mikrotik

‎09-17-2018 11:49 PM

Hi,

 

Post moving the config to SRX5400, & when you say OSPF hello pkts dont each at the other end, at which state OSPF neighbor is at? Is it stuck in exstart/exchange? <show ospf neighbor>

 

and since you have moved from SRX210 to SRX5400, could you ensure that the interface setting are same such as MTU & ensure OSPF is allowed for inbound protocol (sec zone) for each interface that is associated with OSPF. 

/Karan Dhanak
Highlighted
SRX Services Gateway

Re: Ospf between srx and mikrotik

‎09-18-2018 12:19 AM

Hello,

 

Ospf is stuck at init status. Mikrotik is not receiving ospf packets from juniper.

Ospf trace log (flag:all):

Sep 18 10:08:15.744432 OSPF periodic xmit from 192.168.3.1 to 224.0.0.5 (IFL 77 area 1.1.1.1)
Sep 18 10:08:16.634671 task_process_events_internal: recv ready for OSPF I/O./var/run/ppmd_control
Sep 18 10:08:16.634718 task_process_events_internal: recv ready for OSPF I/O./var/run/ppmd_control
Sep 18 10:08:16.634737 task_timer_uset: timer OSPF I/O./var/run/ppmd_control_PPM Hold <Touched> set to offset 2:00 at 10:10:16.634718
Sep 18 10:08:16.634746 OSPF periodic xmit from (null) to 224.0.0.5 (IFL 73 area 1.1.1.1)
Sep 18 10:08:16.885615 task_process_events_internal: recv ready for OSPF I/O./var/run/ppmd_control
Sep 18 10:08:16.885639 task_process_events_internal: recv ready for OSPF I/O./var/run/ppmd_control
Sep 18 10:08:16.885659 task_timer_uset: timer OSPF I/O./var/run/ppmd_control_PPM Hold <Touched> set to offset 2:00 at 10:10:16.885639
Sep 18 10:08:16.885667 OSPF hello from 1.1.1.3 (IFL 73, area 1.1.1.1) absorbed
Sep 18 10:08:24.527424 task_process_events_internal: recv ready for OSPF I/O./var/run/ppmd_control
Sep 18 10:08:24.527474 task_process_events_internal: recv ready for OSPF I/O./var/run/ppmd_control
Sep 18 10:08:24.527493 task_timer_uset: timer OSPF I/O./var/run/ppmd_control_PPM Hold <Touched> set to offset 2:00 at 10:10:24.527474
Sep 18 10:08:24.527528 OSPF periodic xmit from 192.168.3.1 to 224.0.0.5 (IFL 77 area 1.1.1.1)
Sep 18 10:08:25.335293 task_process_events_internal: recv ready for OSPF I/O./var/run/ppmd_control
Sep 18 10:08:25.335328 task_process_events_internal: recv ready for OSPF I/O./var/run/ppmd_control
Sep 18 10:08:25.335347 task_timer_uset: timer OSPF I/O./var/run/ppmd_control_PPM Hold <Touched> set to offset 2:00 at 10:10:25.335328
Sep 18 10:08:25.335400 OSPF periodic xmit from (null) to 224.0.0.5 (IFL 73 area 1.1.1.1)
Sep 18 10:08:26.884333 task_process_events_internal: recv ready for OSPF I/O./var/run/ppmd_control
Sep 18 10:08:26.884365 task_process_events_internal: recv ready for OSPF I/O./var/run/ppmd_control
Sep 18 10:08:26.884383 task_timer_uset: timer OSPF I/O./var/run/ppmd_control_PPM Hold <Touched> set to offset 2:00 at 10:10:26.884365
Sep 18 10:08:26.884391 OSPF hello from 1.1.1.3 (IFL 73, area 1.1.1.1) absorbed

 

Well one other thing that did change was srx210 had 1g links, on 5400 i replaced them with 10g (changed config acordingly). And for testing i changed 5400 to use 1g aswell, results were same, tunnel up but ospf is only one-way.

 

For testing i have set all security zones with
 host-inbound-traffic system-service any-service
 host-inbound-traffic protocols all

Also Default-policy permit-all

 

Mtu seems to act differently on each srx box, pinging from 1 lan to another (over ipsec + gre):


srx 5400 max packet size is: ping 192.168.5.1 size 1386 do-not-fragment
but for 210 it is much larger: ping 192.168.5.1 size 9140 do-not-fragment

 

Is that the root problem here ?

i havent made any mtu changes its all default

Highlighted
SRX Services Gateway

Re: Ospf between srx and mikrotik

‎09-18-2018 09:31 PM

Hi,

 

Does it alway remains in "init" state? or does go up to "2-way" state or "exstart/exchange state" and falls back?

 

If your OSPF is stuck & remains in "Init" state, that means you have problem/mismatch with OSPF Hello packets paramaters such as the ospf area id, interface subnet mismatch, hello/deadinterval, interface-type or authentication etc..etc.  Ensure that you have matching parameters at both end.

 

If you see OSPF neigh struggling in exstart/exchange state, then its MTU issue. In your case of having IPsec/GRE tunnel, ensure that you have a common MTU across the path.

 

 

Could you share the related following:

 

> show ospf neighbor

> show interfaces x/y/z

> related config from SRX and Mikrotik

 

 

 

 

 

 

/Karan Dhanak
Highlighted
SRX Services Gateway
Solution
Accepted by topic author Egert
‎09-19-2018 03:08 AM

Re: Ospf between srx and mikrotik

[ Edited ]
‎09-18-2018 09:39 PM

Hi,

 

There is known PR condition tracked PR #1274667,  where OSPF over GRE over IPSec is not supported on SRX  with standalone CP.  This is a dayone issue in standalone CP  and is fixed in JUNOS 17.3R1 onwards.

 

https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1274667

 

May i know what JUNOS release you're running on SRX5k?

 

 

 

/Karan Dhanak
Highlighted
SRX Services Gateway

Re: Ospf between srx and mikrotik

‎09-18-2018 10:42 PM

Hi,

 

Current installed Srx 5400 version is 15.1X49-D120.3.

 

Should i install latest version : 17.3R2 ?

Highlighted
SRX Services Gateway

Re: Ospf between srx and mikrotik

‎09-18-2018 10:53 PM

Hi,

 

Yes, fixed in 17.3R1 onwards so,  17.3R2 should be fine.

 

 

/Karan Dhanak
Highlighted
SRX Services Gateway

Re: Ospf between srx and mikrotik

‎09-19-2018 03:07 AM

Updated to 17.3R2 and ospf started working.

 

Thanks for the help! Smiley Happy