Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Device running OSPF over IPSec VPN in full-mesh network is stuck in 'init' state

0

0

Article ID: KB19472 KB Last Updated: 15 Mar 2011Version: 1.0
Summary:
When OSPF is running over an IPSec VPN in a full mesh topology involving ScreenOS and Junos devices, OSPF does not come to full state.  It is stuck in the init state.
Symptoms:

When an IPSec VPN in full mesh mode is running OSPF, and all the participant devices are running in multipoint mode (which might be required as this is a full mesh topology), OSPF comes to a full state only for one neighbor and is stuck in the init state for rest of the neighbors.

NOTE:  This is specific only to ScreenOS and Junos interoperability.


Consider the following diagram:



The SRX is configured with a single st0 interface as a multipoint interface for multiple VPN’s (as shown in the following configuration).

Tunnel Interface Configuration:
st0 {
    unit 0 {
        multipoint;
        family inet {
            address 10.1.1.10/24;
        }
    }
}

OSPF configuration:
protocols {
    ospf {
        enable;
        area 0.0.0.0 {
            interface st0.0 {
                interface-type p2mp;
                metric 10;
                priority 1;
                retransmit-interval 5;
                transit-delay 1;
                hello-interval 10;
                flood-reduction;
                poll-interval 5;
            }
        }
    }
}

With this configuration, one of the OSPF neighbors would come to full state while all others will be stuck in init state.
Solution:
The way to solve this issue is to have this topology run as hub and spoke with respect to the SRX. That is, make separate st interfaces for each VPN partner and run it as point -to-point (p2p) in OSPF instead of p2mp with single st0.0 interface.

Example:

protocols {
    ospf {
        enable;
        area 0.0.0.0 {
            interface st0.0 {
                interface-type p2p;
                <rest of the config>
            }
        }
    }
}

protocols {
    ospf {
        enable;
        area 0.0.0.0 {
            interface st0.1 {
                interface-type p2p;
                <rest of the config>
            }
        }
    }
}

protocols {
    ospf {
        enable;
        area 0.0.0.0 {
            interface st0.2 {
                interface-type p2p;
                <rest of the config>
            }  
        }

         }
}
AND SO ON.

Once this is done, all neighbors will come to the full state.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search