This article describes the issue of being unable to establish Open Shortest Path First (OSPF) neighborship due to a OSPF Maximum Transmission Unit (MTU) mismatch; they are stuck in the Exstart/Exchange state.
What is the MTU value being used by OSPF, when jumbo frames are enabled in high-end ScreenOS firewalls?
One more scenario where this issue can be encountered is where an NSRP Cluster member is replaced (RMAed). After the replacement device physical connectivity is completed, the required licenses/ working old configuration is loaded; however, when this device is made Master in NSRP, OSPF does not come up and gets stuck in Exstart/Exchange state. This is due to a MTU mismatch; at the same time OSPF works on the other member of the cluster Master. When the old configuration is copied, envar variables do not get copied as they are not part of the configuration. For example, say that faulty device had jumbo frames set and when you replaced this with a new one, you loaded the configuration. However, jumbo frame
was not set because it is a envar variable and is not a part of configuration. You must explicitly set the envar variable for jumbo frame on the replaced device to make it to work. Additionally, envar variables do not get synced over NSRP.
When jumbo frames are enabled, ScreenOS will modify the maximum frame size per system and IP MTU on all interfaces. The IP MTU is used by OSPF and it cannot be set per interface.
The formula for calculating the IP MTU is as follows:
IP MTU (used by OSPF) = max-frame-size - Ethernet Header Length (14 byte
s)
To check the current maximum frame size on the device, use the following command:
ns5400-> get envar
last_reset=2004-12-10 09:38:52 by netscreen
run_image=default (ns5000.5.0.0b2.c) loader_version=1.0.0 max-frame-size=9830ns5400
To change the current maximum frame size on the device, use the following command:
set envar max-frame-size=<size>
and the size can be any value between 1514 to 9830. For example, set envar max-frame-size=7500
. Note that there are no spaces before and after =. You need to restart the security device for the settings to take effect.
For more information about Jumbo Frames support and prerequisites, refer to KB12843 - Jumbo frame support on the Juniper firewall.
To disable jumbo frames support and return the device to the normal maximum frame size (1514 bytes), use the following command:
unset envar max-frame-size
For example, If max-frame-size = 9830, then the IP MTU = 9816.
Solution 1
Ensure that the IP MTU is the same on both ends.
Solution 2
Ignore any mismatches in Maximum Transmission Unit (MTU) values between the local and remote interfaces that are found during OSPF database negotiations. The following option should be used, only when the MTU on the local interface is lower than the MTU on the remote interface:
set interface <interface> protocol ospf ignore-mtu