No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

OSPF can not step into full state caused by security policy deny

Publication Date:  2017-12-28 Views:  55 Downloads:  0
Issue Description

OSPF can not step into full state between USG6370 and core swith.

Handling Process

Step 1 Check the state of OSPF

After checking state of OSPF, we found that the neighbor relationship could not be established between the USG6370 and switch.

 

Step 2 Analyze the configuration.

From the current configuration, we found that the basic-protocol packet-filter was enabled, so the controlling function of security policies for BGP packets, LDP packets, BFD packets and OSPF unicast packets was enabled.

After checking the configuration of security-policy, there is no rule to permit ospf unicast traffic from the switch to USG6370. So OSPF neighbor relationship could not be established. But why the ospf worked normally before needed more analysis. 


Step 3 Analyze the logs.

From the history operation logs, when OSPF process was created, the default security-policy was “permit”. But it was modified to “deny” at 2016.08.01 20:27:46. As OSPF neighbor has established to FULL, the security-policy (deny) would not affect OSPF neighbor establishment. So the OSPF worked normally before, but once if the OSPF neighbor relationship broke down between USG6370 and the switch, it can’t become FULL. 

Checked the logs, we found that the interface 1/0/2 of USG6370 and interface 3/0/42 of the switch became down for several minutes. So the OSPF neighbor relationship broke down at that time. Even after the interface became up, the OSPF could not work because of the security-policy.


Step 4 Disable the basic protocol packet-filter function.

After we disabled the basic protocol packet-filter function, the OSPF worked. 

Root Cause

The security-policy of USG6370 denied the OSPF traffic from the switch to USG6370, which caused the OSPF could not work.

Solution

Disable the basic protocol packet-filter function(undo firewall packet-filter basic-protocol enable), or permit the OSPF traffic between USG6370 and the switch.


END