Knowledge Search


×
 

[SRX] Device running OSPF over IPSec VPN in full-mesh network is stuck in 'init' state

  [KB19472] Show Article Properties


Summary:
When OSPF is running over an IPSec VPN in a full mesh topology involving ScreenOS and Junos devices, OSPF does not come to full state.  It is stuck in the init state.
Symptoms:

When an IPSec VPN in full mesh mode is running OSPF, and all the participant devices are running in multipoint mode (which might be required as this is a full mesh topology), OSPF comes to a full state only for one neighbor and is stuck in the init state for rest of the neighbors.

NOTE:  This is specific only to ScreenOS and Junos interoperability.


Consider the following diagram:



The SRX is configured with a single st0 interface as a multipoint interface for multiple VPN’s (as shown in the following configuration).

Tunnel Interface Configuration:
st0 {
    unit 0 {
        multipoint;
        family inet {
            address 10.1.1.10/24;
        }
    }
}

OSPF configuration:
protocols {
    ospf {
        enable;
        area 0.0.0.0 {
            interface st0.0 {
                interface-type p2mp;
                metric 10;
                priority 1;
                retransmit-interval 5;
                transit-delay 1;
                hello-interval 10;
                flood-reduction;
                poll-interval 5;
            }
        }
    }
}

With this configuration, one of the OSPF neighbors would come to full state while all others will be stuck in init state.
Solution:
The way to solve this issue is to have this topology run as hub and spoke with respect to the SRX. That is, make separate st interfaces for each VPN partner and run it as point -to-point (p2p) in OSPF instead of p2mp with single st0.0 interface.

Example:

protocols {
    ospf {
        enable;
        area 0.0.0.0 {
            interface st0.0 {
                interface-type p2p;
                <rest of the config>
            }
        }
    }
}

protocols {
    ospf {
        enable;
        area 0.0.0.0 {
            interface st0.1 {
                interface-type p2p;
                <rest of the config>
            }
        }
    }
}

protocols {
    ospf {
        enable;
        area 0.0.0.0 {
            interface st0.2 {
                interface-type p2p;
                <rest of the config>
            }  
        }

         }
}
AND SO ON.

Once this is done, all neighbors will come to the full state.
Related Links: