Networking: E300 (untrust domain) - - - - - - - - - C company SW
Phenomenon: the OSPF neighbor relationship between E300 and C company SW device can not be established.
Check the firewall configuration, find that firewall only open the inter-domain default packet filtering from the local to untrust domain, and do not open the inter-domain packet filtering from untrust to local domain. Finally through open the firewall packet filtering from untrust domain to local domain, OSPF neighbor relationship returned to be normal.
From log can view that:
2010-04-19 09:29:57 aaa-Eudemon300-1-HT %%01SHELL/5/CMD(l): task:vt0 ip:X.X.X.X user:YYY vrf:public command:firewall packet-filter default permit interzone local untrust direction inbound
2010-04-19 09:30:36 aaa-Eudemon300-1-HT %%01RM/5/RTLOG(l): OSPF TRANSITION Broadcast Interface X.X.X.162(Ethernet2/0/7)'s Neighbor X.X.X.161 Loading -> Full
1, configuration problem.
2, device mechanism is not compatible.
This problem is caused by the first one.
The firewall need make packet filtering for unicast message, there is unicast message in the OSPF negotiation, such as: DB message, LSR message, etc., if the packet filtering is not open, this part of the message will be discarded when inquires the packet filtering, because do not open the inter-domain packet filtering, OSPF is unable to make negotiation.
In the OSPF networking, need to open the packet filtering for OSPF.