Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive] [ScreenOS] Behavior of LSID assignment when conflict between network address and broadcast address occurs

0

0

Article ID: KB27304 KB Last Updated: 28 Sep 2020Version: 2.0
Summary:
This article describes the behavior of a Link State Identifier (LSID) assignment when OSPF routes have the same network address and broadcast address. This conflict creates a duplicate LSID.
Symptoms:
ScreenOS uses the algorithm recommended by RFC2328 to assign the LSID. The  OSPF algorithm is based on the assumption that no two networks broadcast address matches another network's broadcast address., However, there could be routing updates that could create conflicts, by assigning an address equal to either multiple network addresses or broadcast addresses. The problem occurs when LSID uses conflicting network addresses or broadcast addresses to attempt to access OSPF database.

If ScreenOS acting as Autonomous System Boundary Router (ASBR) attempts to assign routes to the same address but with different subnet masks, the route with the more specific mask will use the network address as LSID. The route with the less-specific mask will use its broadcast address as LSID. If there are duplicate routes on a  broadcast address with different subnet mask, a LSID conflict will occur. The route using the same address as LSID and the received OSPF peer will try to inject routes with one of the conflicted Link State Update (LSU) packets.
 

Examples:

1. Static route to 172.16.3.8/29 is configured with gateway 172.16.2.101

set route 172.16.3.8/29 interface ethernet1/1 gateway 172.16.2.101

When originating Link-State Advertisement (LSA) to redistribute this static route [172.16.3.8, 255.255.255.248],

  • the LSID for [172.16.3.8, 255.255.255.248] is 172.16.3.8
  • the forwarding address is 172.16.2.101.
 

<OSPF Database AS External LSAs>

nsisg1000-> get vr trust-vr protocol ospf database detail
VR: trust-vr RouterId: 0.0.0.2
--------------------------------

AS External LSA(s)
--------------------------------
Age:  948
Seq Number: 0x80000123
Checksum: 0x6dba
Advertising Router: 0.0.0.2
Link State ID: 172.16.3.8
Length: 36
Options:   Extern     DC
Network Mask: 255.255.255.248
                Metric Type: 1
                TOS: 0
                Metric: 1
                Forward Address: 172.16.2.101
                External Route Tag: 0
 

2. Add static route to 172.16.3.8/32 with gateway 172.16.2.102

 
set route 172.16.3.8/29 interface ethernet1/1 gateway 172.16.2.101
set route 172.16.3.8/32 interface ethernet1/1 gateway 172.16.2.102

When originating LSA to redistribute this static route [172.16.3.8, 255.255,255.255],

  • the LSID for [172.16.3.8, 255.255.255.248] is 172.16.3.15, forwarding address 172.16.2.101,
  • the LSID for [172.16.3.8, 255.255.255.255] is 172.16.3.8, forwarding address 172.16.2.102.


<OSPF Database AS External LSAs>
nsisg1000-> get vr trust-vr protocol ospf database detail
VR: trust-vr RouterId: 0.0.0.2
--------------------------------

AS External LSA(s)
--------------------------------
Age:  948
Seq Number: 0x80000123
Checksum: 0x6dba
Advertising Router: 0.0.0.2
Link State ID: 172.16.3.15
Length: 36
Options:   Extern     DC
Network Mask: 255.255.255.248
                Metric Type: 1
                TOS: 0
                Metric: 1
                Forward Address: 172.16.2.101
                External Route Tag: 0

Age:  948
Seq Number: 0x80000123
Checksum: 0x6dba
Advertising Router: 0.0.0.2
Link State ID: 172.16.3.8 Length: 36
Options:   Extern     DC
Network Mask: 255.255.255.255
                Metric Type: 1
                TOS: 0
                Metric: 1
                Forward Address: 172.16.2.102
                External Route Tag: 0
 

3. Add static route to 172.16.3.15/32 with gateway 172.16.2.102

 
set route 172.16.3.8/29 interface ethernet1/1 gateway 172.16.2.101
set route 172.16.3.8/32 interface ethernet1/1 gateway 172.16.2.102
set route 172.16.3.15/32 interface ethernet1/1 gateway 172.16.2.102

 

When originating LSA to redistrubute this static route [172.16.3.8, 255.255.255.255],

  • the LSID for [172.16.3.15, 255.255,255.255] is 172.16.3.15 (*1), forwarding address 172.16.2.102,
  • the LSID for [172.16.3.8, 255.255.255.255] is 172.16.3.8, forwarding address 172.16.2.102.


(*1) LSID 172.16.3.15 conflicts between the routes 172.16.3.8/29 and 172.16.3.15/32, and the latest LSU (172.16.3.15/32) will overwrite the old LSA (172.16.3.8/29) from ospf database.

<OSPF Database AS External LSAs>

nsisg1000-> get vr trust-vr protocol ospf database detail
VR: trust-vr RouterId: 0.0.0.2
--------------------------------

AS External LSA(s)
--------------------------------
Age:  948
Seq Number: 0x80000123
Checksum: 0x6dba
Advertising Router: 0.0.0.2
Link State ID: 172.16.3.15
Length: 36
Options:   Extern     DC
Network Mask: 255.255.255.255
                Metric Type: 1
                TOS: 0
                Metric: 1
                Forward Address: 172.16.2.102
                External Route Tag: 0

Age:  948
Seq Number: 0x80000123
Checksum: 0x6dba
Advertising Router: 0.0.0.2
Link State ID: 172.16.3.8
Length: 36
Options:   Extern     DC
Network Mask: 255.255.255.255
                Metric Type: 1
                TOS: 0
                Metric: 1
                Forward Address: 172.16.2.102
                External Route Tag: 0
Solution:
With current ScreenOS design, ScreenOS will generate an LS Update with a broadcast address as LSID when there is a conflict between network addresses.  Routes with the more specific mask will use the network address as LSID. The route with the less-specific mask will use its broadcast address as LSID.  If there is a conflict between broadcast addresses, the LSID will also conflict and the latest LS Update will overwrite the old entry in OSPF database.

This is the current design of ScreenOS. This behavior will not be changed.  If a special request is required for this issue, please contact JTAC for support.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search