华为安全Eudemon1000E防火墙跟友商设备通过GREVPN建立OSPF时不能建立邻居

发布时间:  2017-03-28 浏览次数:  263 下载次数:  0
问题描述

组网:

Eudemon1000E (OSPF)----- GRE Tunnel -----(OSPF) 友商设备

故障现象:

使Eudemon1000E 与对端友商路由器通过GRE隧道建立OSPF建立邻居,但是OSPF邻居状态一直卡在Exchange 状态,没有达到Full的状态。本端tunnel地址是10.1.1.1,对端是10.1.1.4(所有地址为客户测试地址,并非真实业务地址)

<Eudemon1000E >display ospf peer 10.1.1.4

19:46:10 2014/11/17

OSPF Process 1 with Router ID 10.8.1.250

Neighbors

Area 0.0.0.0 interface 10.1.1.1(Tunnel1)'s neighbors

Router ID: 10.1.1.4 Address: 10.1.1.4 GR State: Normal

State: Exchange Mode:Nbr is Slave Priority: 0

DR: 10.1.1.1 BDR: None MTU: 1500

Dead timer due in 28 sec

Neighbor is up for 00:00:00

Authentication Sequence: [ 0 ]

告警信息

OSPF无法建立邻居,状态总停留在Exchange,

<Eudemon1000E >display ospf peer 10.1.1.4

19:46:10 2014/11/17

OSPF Process 1 with Router ID 10.8.1.250

Neighbors

Area 0.0.0.0 interface 10.1.1.1(Tunnel1)'s neighbors

Router ID: 10.1.1.4 Address: 10.1.1.4 GR State: Normal

State: Exchange Mode:Nbr is Slave Priority: 0

DR: 10.1.1.1 BDR: None MTU: 1500

Dead timer due in 28 sec

Neighbor is up for 00:00:00

Authentication Sequence: [ 0 ]

处理过程

1、 检查Eudemon1000E GRE,包过滤等配置没有发现问题,同时通过ping确认对端可达。

[Eudemon1000E]ping 10.1.1.4

11:28:39 2014/11/18

PING 10.1.1.4: 56 data bytes, press CTRL_C to break

Reply from 10.1.1.4: bytes=56 Sequence=1 ttl=255 time=10 ms

Reply from 10.1.1.4: bytes=56 Sequence=2 ttl=255 time=10 ms

Reply from 10.1.1.4: bytes=56 Sequence=3 ttl=255 time=10 ms

Reply from 10.1.1.4: bytes=56 Sequence=4 ttl=255 time=10 ms

--- 10.1.1.4 ping statistics ---

4 packet(s) transmitted

4 packet(s) received

0.00% packet loss

round-trip min/avg/max = 10/10/10 ms

2、检查OSPF邻居状态,一直处于Exchange,并且本端MTU1500

[Eudemon1000E]display ospf peer 10.1.1.4

11:34:52 2014/11/18

OSPF Process 1 with Router ID 10.8.1.250

Neighbors

Area 0.0.0.0 interface 10.1.1.1(Tunnel1)'s neighbors

Router ID: 10.1.1.4 Address: 10.1.1.4 GR State: Normal

State: Exchange Mode:Nbr is Slave Priority: 0

DR: 10.1.1.1 BDR: None MTU: 1500

Dead timer due in 34 sec

Neighbor is up for 00:00:00

Authentication Sequence: [ 0 ]



2、 debug ospf,观察两端ospf邻居建立过程。

本端开debug ospf event看,只有中间几个状态切换,切换到Exchange后就没有任何输出了,看不出具体问题。

<Eudemon1000E>debugging ospf event

<Eudemon1000E>t d

<Eudemon1000E>t m

<Eudemon1000E>reset ospf process

*3.832197092 USG2210 RM/7/RMDEBUG:

OSPF 1: Nbr 10.1.1.4 Rcv HelloReceived State Down -> Init.

*3.832197092 USG2210 RM/7/RMDEBUG:

OSPF 1: Nbr 10.1.1.4 Rcv 2WayReceived State Init -> 2Way.

*3.832233422 USG2210 RM/7/RMDEBUG:

OSPF 1: Nbr 10.1.1.4 Rcv AdjOk? State 2Way -> ExStart.

*3.832233522 USG2210 RM/7/RMDEBUG:

OSPF 1: Nbr 10.1.1.4 Rcv NegotiationDone State ExStart -> Exchange.

3、在没有其他思路的情况下,查看了这个tunnel接口下有另外两个邻居状态时Full的,并且MTU1468,跟客户确认了下这两个对端设备同样是友商的。寻思是不是还是MTU的问题?

[Eudemon1000E]display ospf peer Tunnel 1

15:14:25 2014/11/18

OSPF Process 1 with Router ID 10.8.1.250

Neighbors

Area 0.0.0.0 interface 10.1.1.1(Tunnel1)'s neighbors

Router ID: 172.16.33.1 Address: 10.1.1.2 GR State: Normal

State: Full Mode:Nbr is Master Priority: 0

DR: 10.1.1.1 BDR: None MTU: 1468

Dead timer due in 30 sec

Neighbor is up for 00:01:50

Authentication Sequence: [ 0 ]

Router ID: 10.1.1.3 Address: 10.1.1.3 GR State: Normal

State: Full Mode:Nbr is Slave Priority: 0

DR: 10.1.1.1 BDR: None MTU: 1468

Dead timer due in 38 sec

Neighbor is up for 00:01:46

Authentication Sequence: [ 0 ]

7、在友商设备tunnel接口上去掉了ip mtu的配置,再看它的MTU就变成了1468,在这种情况下,把本端tunnel接口的MTU修改成mtu 1468,OSPF邻居状态就变成Full了。所以问题的根本原因还是MTU有问题。

C2621-2(config-if)#no ip mtu

C2621-2# show ip interface tunnel 1

Tunnel1 is up, line protocol is up

Internet address is 10.1.1.4/29

Broadcast address is 10.1.1.7

Address determined by non-volatile memory

MTU is 1468 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Multicast reserved groups joined: 224.0.0.5

[Eudemon1000E-Tunnel1]mtu 1468

[Eudemon1000E]display interface Tunnel 1

17:31:42 2014/11/18

Tunnel1 current state : UP

Line protocol current state : UP

Tunnel1 current firewall zone : untrust3

Description : Huawei, USG2200 Series, Tunnel1 Interface, Route Port

The Maximum Transmit Unit is 1468 bytes

Internet Address is 10.1.1.1/29

Encapsulation is TUNNEL, loopback not set

[Eudemon1000E]display ospf peer Tunnel 1

17:34:01 2014/11/18

......

Router ID: 10.1.1.4 Address: 10.1.1.4 GR State: Normal

State: Full Mode:Nbr is Slave Priority: 0

DR: 10.1.1.1 BDR: None MTU: 1468

Dead timer due in 35 sec

Neighbor is up for 00:02:23

Authentication Sequence: [ 0 ]

当通过进入tunnel接口调整mtu后,OSPF可以建立邻居,业务正常

根因

两端MTU不一致,导致OSPF邻居无法建立。

解决方案

将本端tunnel接口的MTU修改成mtu 1468后问题解决。

建议与总结

END