Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Unable to establish the peer with OSPF due to a MTU mismatch with jumbo frames

0

0
Article ID: KB12745 KB Last Updated: 17 Dec 2013Version: 6.0 Summary:

This article describes the issue of being unable to establish Open Shortest Path First (OSPF) neighborship due to a OSPF Maximum Transmission Unit (MTU) mismatch; they are stuck in the Exstart/Exchange state.

Symptoms:

What is the MTU value being used by OSPF, when jumbo frames are enabled in high-end ScreenOS firewalls?

One more scenario where this issue can be encountered is where an NSRP Cluster member is replaced (RMAed). After the replacement device physical connectivity is completed, the required licenses/ working old configuration is loaded; however, when this device is made Master in NSRP, OSPF does not come up and gets stuck in Exstart/Exchange state. This is due to a MTU mismatch; at the same time OSPF works on the other member of the cluster Master. When the old configuration is copied, envar variables do not get copied as they are not part of the configuration. For example, say that faulty device had jumbo frames set and when you replaced this with a new one, you loaded the configuration. However, jumbo frame was not set because it is a envar variable and is not a part of configuration. You must explicitly set the envar variable for jumbo frame on the replaced device to make it to work. Additionally, envar variables do not get synced over NSRP.

Cause:

When jumbo frames are enabled, ScreenOS will modify the maximum frame size per system and IP MTU on all interfaces. The IP MTU is used by OSPF and it cannot be set per interface.

Solution:

 The formula for calculating the IP MTU is as follows:

IP MTU (used by OSPF) = max-frame-size - Ethernet Header Length (14 bytes)

To check the current maximum frame size on the device, use the following command:

ns5400-> get envar
last_reset=2004-12-10 09:38:52 by netscreen
run_image=default (ns5000.5.0.0b2.c) loader_version=1.0.0 max-frame-size=9830ns5400

To change the current maximum frame size on the device, use the following command:

set envar max-frame-size=<size>

and the size can be any value between 1514 to 9830. For example, set envar max-frame-size=7500. Note that there are no spaces before and after =. You need to restart the security device for the settings to take effect.

For more information about Jumbo Frames support and prerequisites, refer to KB12843 - Jumbo frame support on the Juniper firewall.

To disable jumbo frames support and return the device to the normal maximum frame size (1514 bytes), use the following command:

unset envar max-frame-size

For example, If max-frame-size = 9830, then the IP MTU = 9816.


Solution 1

Ensure that the IP MTU is the same on both ends.


Solution 2

Ignore any mismatches in Maximum Transmission Unit (MTU) values between the local and remote interfaces that are found during OSPF database negotiations. The following option should be used, only when the MTU on the local interface is lower than the MTU on the remote interface:

set interface <interface> protocol ospf ignore-mtu

Related Links

 Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search