No OSPF Interface showed

gilbertog · ‎06-01-2018

Hello,

Actually we are moving on a dynamic VPN tunnels topology. We configured site A with B tunnel successfully, with OSPF over IPSec configuration. Then, we started to configure site A with C, but when we finished, no route was added. We did exactly the same we did between sites A - B, but no same result.

Trying to resolve this, we did a get router info ospf interface and there is not the tunnels interfaces listed on both sites, just A - B interfaces and internal routing, but then we made an get router info protocols and there are listed network prefixes for sites A - B.

Checking everything, is the same configuration on both cases, but one works but the other doesn't.

I appreciate your answers. Thanks.

ericli_FTNT · ‎06-04-2018

Hi, here is my test based on your config. I simplified some parts:

FGT_A：

VPN setting:

FGT_A # sh vpn ipsec phase1-interface 
config vpn ipsec phase1-interface
    edit "to_B"
        set interface "vlan40"
        set peertype any
        set proposal 3des-sha1 3des-md5
        set localid "MAPLANTAVLN"
        set dhgrp 2
        set remote-gw 192.168.4.130
        set psksecret ENC sKgwI+Rr4ARv5YyTc6q3VU9HrY+L1RT/L1PJmtLaeMd78quVm9zuUfvkTj5ycj0UCwWauxml70VQ+vXIZWZ29HEEydWqpUFEcL1iZvU1DOlO9bJDrVzDKtOgs8Ohk6YTa7p55FBlHvGqL73oszcWuQklFHHtQXFjFRzsRl8Kt6NwpXtZuMe/KX44igmS+O7HqZb3Bw==
    next
end

FGT_A # sh vpn ipsec phase2-interface 
config vpn ipsec phase2-interface
    edit "to_B_2"
        set phase1name "to_B"
        set proposal 3des-sha1 3des-md5
        set dhgrp 2
        set auto-negotiate enable
    next
end

Firewall Policy allow IKE from phase1 interface to real interface:

FGT_A # sh firewall policy 1 
config firewall policy
    edit 1
        set uuid f8a4d0c0-6847-51e8-47fb-bb7c6bd25ab2
        set srcintf "to_B"
        set dstintf "vlan40"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

Tunnel interface:

FGT_A # sh sys int to_B 
config system interface
    edit "to_B"
        set vdom "root"
        set ip 10.10.10.132 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 10.10.10.130 255.255.255.255
        set snmp-index 57
        set interface "vlan40"
    next
end

OSPF:

FGT_A # sh router ospf 
config router ospf
    set router-id 10.10.10.132
    config area
        edit 0.0.0.0
        next
    end
    config ospf-interface
        edit "1"
            set interface "to_B"
            set network-type point-to-point
        next
    end
    config network
        edit 1
            set prefix 10.10.10.132 255.255.255.255
        next
    end
    config redistribute "connected"
    end
    config redistribute "static"
    end
    config redistribute "rip"
    end
    config redistribute "bgp"
    end 
    config redistribute "isis"
    end
end

OSPF interface is up, which means that it's sending hello to 224.0.0.5 and listen to hello:

FGT_A # get router info ospf interface 
to_B is up, line protocol is up
  Internet Address 10.10.10.132/32, Area 0.0.0.0, MTU 1446
  Process ID 0, Router ID 10.10.10.132, Network Type POINTOPOINT, Cost: 100
  Transmit Delay is 1 sec, State Point-To-Point
  Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:04
  Neighbor Count is 1, Adjacent neighbor count is 0
  Crypt Sequence Number is 9910
  Hello received 1 sent 1, DD received 0 sent 1
  LS-Req received 0 sent 0, LS-Upd received 0 sent 0
  LS-Ack received 0 sent 0, Discarded 0

Now OSPF neighbor is up:

FGT_A # get router info ospf neighbor 

OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
10.10.10.130 1 Full/ - 00:00:33 10.10.10.130 to_B

Same output on FGT_B is ready for you.

PS:

Double check:

sh sys int gw_KP_WAN1xWAN2, I guess something wrong at this part.

View solution in original post

ericli_FTNT · ‎06-11-2018

Glad to hear that! NP.

View solution in original post

Toshi_Esumi · ‎06-01-2018

Is the tunnel actually up? You probably wouldn't see ospf interface if the tunnel is down.

gilbertog · ‎06-01-2018

Yes, it is up. Actually, if we set up a static route it works fine. But no with OSPF.

Toshi_Esumi · ‎06-01-2018

Then, what did you configure under config ospf-interface? You must have configured two entries on A-side (for B and C), and only one on C-side (for A).

gilbertog · ‎06-01-2018

On A-Side we have some interfaces for inside routing, tunnel interface to B and tunnel interface to C. Also, in networks, we have both interface addresses.

On C-Side we only have the interface to A, and in networks just interface address.

ericli_FTNT · ‎06-01-2018

gilbertog wrote:

Checking everything, is the same configuration on both cases, but one works but the other doesn't.

Can you provide output of these commands:

show router ospf
diag vpn tunnel list
get router info ospf interface

So I could try to figure out where is the issue.

PS: Please double check your ipsec, I'm afraid there is something wrong on it.

gilbertog · ‎06-01-2018

Thanks for your time. Attached I send both configurations.

ericli_FTNT · ‎06-01-2018

Not a problem.

To avoid routing problem, I suggest you not to enable redistribute connected/static until OSPF adjacency is up.

It seems that on your site C, the tunnel "gw_MA_WAN2xVLN1" is not up yet. Because dec/enc are both 0.

Please check your IPSEC setting by:

show vpn ipsec phase1-interface
show vpn ipsec phase2-interface
diag debug app ike -1

gilbertog · ‎06-04-2018

Sorry for delay answering. Attached I send those configurations

ericli_FTNT · ‎06-04-2018

Not a problem, I will try to reproduce your case in my lab. will get back to you soon.