Knowledge Search


[ScreenOS] OSPF route flapping

  [KB19321] Show Article Properties

OSPF route is constantly flapping on SSG520 firewall.

SSG520-------------VPN tunnel------------SSG20--bg0(

SSG520 has tunnel.1 bound to multiple VPN tunnels, including the tunnel going to a SSG20 device.
SSG20 advertises the connected network as part of the bg0 interface via OSPF through the VPN  tunnel.
The route for this particular network was seen to be flapping in the SSG520 firewall.
The output of  "get route ip" showed the route installed and uninstalled constantly in the routing table, and the id value of the route kept increasing.

SSG520-> get route ip
Dest for
trust-vr : => (id=280) via (vr: trust-vr)
Interface tunnel.1 , metric 11

SSG520-> get route ip
Dest for
trust-vr : => (id=350) via (vr: trust-vr)
Interface tunnel.1 , metric 11

From the above output, you can see that the id value of the of the route is increasing rapidly.

More details about the route can be displayed with the command "get route id <number>".  It indicated that is was active for 7 seconds.

SSG520-> get route id 306
route in trust-vr:
id: 306
IP address/mask:
next hop (gateway):
preference: 60
metric: 11
outgoing interface: tunnel.1
vsys name/id: Root/0
tag: 0
flag: 24010100/00100000
type: OSPF-intra-area
OSPF parameters: area = ospf level 10000
Redistributed to:
status: active (for 7 seconds)
        --------------------> This indicates that the route is short lived for a few seconds in the routing table.

The status of OSPF SPF in the VR can be checked with the command, "get vr trust-vr protocol ospf", and it showed that the Intra-SPF was executed continuously:

SSG520-> get vr trust-vr protocol ospf
VR: trust-vr RouterId:
Status: enabled
State: internal router
Auto-Vlink creation: disabled
Number of areas: 1
Number of external LSA(s): 0
External LSAs with DNA: 0
Advertising default-route lsa: disabled
Default-route learnt by ospf: will not be added to the routing table
RFC 1583 compatibility: disabled
Hello packet flooding protection: disabled
LSA flooding protection: disabled
Maximum Retransmit limit: For nbrs on demand-circuits 12
For nbrs on non-demand-circuits 24
Total number of interfaces is 3, Active number of interfaces is 3
Intra-SPF algorithm executed 329 times
Last Intra-SPF executed before 00:00:06       ----------------> this indicates that the Intra-SPF is run continuously
Number of LSA(s) is 3

Inter-SPF algorithm executed: 329 times
Last Inter-SPF executed before 00:00:06
Extern-SPF algorithm executed: 329 times
Last Extern-SPF executed before 00:00:06
SPF Aborted: 0 times

Check how OSPF neighbors are formed in the SSG520, by command "get vr trust-vr protocol ospf neighbor":

SSG520-> get vr trust-vr protocol ospf neighbor
VR: trust-vr RouterId:

Neighbor(s) on interface tunnel.1 (Area
IpAddr/IfIndex RouterId Pri State Opt Up StateChg
------------------------------------------------------------------------------            1 Full E 02:08:34 (+6 -0)            1 Full E 07:32:56 (+6 -0)            1 Full E 21:12:48 (+6 -0)            1 Full E 4d;09:06:17 (+10 -1)

For example, looking at the above output, two neighbors (SSG20) and have the same Router id. This will cause the Intra-SPF to be run continuously on the firewall and hence flap the routes learned from those two neighbors.

Also, the output of "debug ospf all" will show that the route is deleted and added:

## 2010-10-22 15:25:22 : ospf: delete route ->, level 1, area

After a few seconds, the output looked like this:

## 2010-10-22 15:25:30 : ospf: add route, next-hops 1, cost 11

This issue is caused by using the same router-id on multiple devices, which are forming neighbor/adjacencies with this SSG520 firewall.

In OSPF, no two neighbors should have same neighbor router-id.  The solution is to configure a unique router-id per neighbor.

For this scenario you'll need to modify the router-id on the SSG20 firewall; you cannot modify the router id when the OSPF is enabled. Hence you need to disable OSPF in the VR first before changing router-id

SSG20-> set vr trust-vr
SSG20(trust-vr)-> set protocol ospf
SSG20(trust-vr/ospf)-> unset enable
SSG20(trust-vr/ospf)-> exit
SSG20(trust-vr)-> set router id ----->unique router-id
SSG20(trust-vr)->set protocol ospf
SSG20(trust-vr/ospf)->set enable

Related Links: