Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12

Thread: OSPF Issue

  1. #11
    Untanglit
    Join Date
    May 2011
    Posts
    15

    Default

    Here is a detailed email about the situation. I sent it to a friend that setup or original Untangle box about 7 years ago....


    Hey dude,

    I’ve got an issue with Untangle. It’s time to bring in their support, and maybe you can get them to do this.

    Ok, our network has gotten way complicated, so let me tell you what’s going on.

    Site 1 – Co Location – Main servers, Internet access, and Untangle are here.
    Site 2 – Houston Location – users, printers, secondary servers, etc.
    Site 3 – Beaumont Location – Users, Printers, etc.

    Site 1 has:
    • A Firebox firewall
    • A cisco router
    • A Cisco switch
    • A untangle Box
    • A 90 MB connection to Site 2
    • A 1.54 MB connection to Site 3
    • A 30 MB connection to the Internet

    Site 2 has:
    • A cisco Router
    • Many switches, Cisco and Dell
    • A 90 MB connection to Site 1
    • A 50 MB Down/10 Up connection to the Internet
    • A firebox Firewall

    Site 3 has:
    • A cisco router
    • Cisco Switch
    • A firebox Firewall
    • A 1.54 Megabit connection to Site 1
    • A 10 MB connection to the Internet

    Ok, each Firebox is setup with a Secured VPN Tunnel between the other two sites. The idea being if the link between Site 1 and Site 2 goes down, Site 2 can connect to Site 1 through Site 3. This was done using OSPF on all cisco routers.

    Physically this is how Site one is wired up.

    Cisco router plugged into Catalyst switch. Two ports on the Catalyst are on a separate Vlan.
    Second vlan port is plugged into the untangle box. This is on the bridge side of the Untangle box.
    Untangle External port is plugged into the Firebox.
    Firebox is setup to use OSPF to the internal Router so it can find the path for Site 2 and Site 3.

    On our old untangle box, running 8.x, everything was working just fine. I had this box setup to NOT install any software updates. It is setup to receive data definition updates. Server had a problem, it would reboot randomly due to some kind of Unix Kernal Panic. It would shut down and restart every hour to 10 days. No rhyme or reason why.

    So everything is good until sometime between 3:53 PM on a Sunday 10/21/13 and 11:59 PM that night. For some reason all access from Site 2 and to the Internet is no longer working. Site 1 equipment can get on the Internet. But Site 2 cannot. All connections are working, and there is no outages, other than Site 2 cannot access the Intenet.

    Running a bypass cable from the Catalyst to the Firebox firewall and Site 2 can connect to Internet. Appears the Untangle box has died. A similar issued happened before, the box is 4 years old, and so I decide to replace it.

    I order a new Dell PC, load Untangle 10.x onto the box. Since 10.x cannot read older back up files properly, I setup the Untangle manually. So no settings are directly transferred. I did reuse the old NIC’s from the old Untangle box.

    I installed the brand new Untangle box at Site 1. And Site 2 cannot access the Internet. WTF? Ok, after a lot of troubleshooting, we figured out that OSPF is no longer working between the Firebox and the internal router. Bypass the Untangle and OSPF works. Put Untangle wired back in, OSPF fails.

    So now I have two untangle boxes, and neither one is passing OSPF properly. This does not make any sense. It ran for years setup like this. What could have changed? A fresh install of Untangle on a new box and problem is the same.

    …. Ok, just to eliminate this as an issue, I order new NIC’s for the Untangle box. I got on Untangle’s web site, and got two cards that are certified to work with Untangle. (FYI, one of the old cards you got us for Untangle…. It’s on the do not use list! It was one of the cards in our Untangle box).

    So I replace both Nic’s, and I replace the patch cables from the switch to the untangle, and from Untangle to Firebox firewall… OSPF still not working….

    So more trouble shooting… OSPF uses a Mutlicast protocol. On ip 224.0.0.5 for OSPF. We discovered that OSPF is going through the Untangle, but the packets are coming across as corrupt, or altered in such a way that the firebox can’t figure out how to get to Site 2. My guess is somehow the packets are getting NAT translated, and that’s screwing things up. I’ve turned off NAT on Untangle. No change.

    I’ve turned off all untangle services, so it should just be bridging. Still nothing…

    So I got on the Untangle forum, and they suggest Bypass filters… I’ve tried it all… No difference.

    I’ve tried everything I could think of, and I’m at a loss…

  2. #12
    Untanglit
    Join Date
    Jan 2014
    Posts
    17

    Default

    Here's my $0.02 hack:
    Tell OSPF that multicast hello's are no good and switch to unicast. You can do that by reconfiguring the links to be NBMA.
    Here are the steps.
    1. On connecting interfaces/subinterfaces set the network type to NBMA (non-broadcast multiple access) networks. On Cisco IOS this should be something like:
    router(config)# interface g0/1
    router(config-if)# ip ospf network-type non-broadcast
    2. Set the OSPF neighbor IP, so traffic is sent directly to the neighbor:
    router(config) # router ospf 100
    router(config-ospf)# neighbor W.X.Y.Z

    where "100" is the number of the OSPF process you're using
    W.X.Y.Z is the IP address of the neighbor

    3. tell routers to restart their OSPF
    # clear ip ospf process

    4. debug your OSPF to see if they get the hello's and the rest:
    # debug ip ospf events
    # debug ip ospf packets
    # terminal monitor

    5. check if they see each other
    # show ip ospf neighbor
    # show ip ospf neighbor detail

    6. ... profit?

Page 2 of 2 FirstFirst 12

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2