OSPF can not step into full state between USG6370 and core swith.
Step 1 Check the state of OSPF
After checking state of OSPF, we found that the neighbor relationship could not be established between the USG6370 and switch.
Step 2 Analyze the configuration.
From the current configuration, we found that the basic-protocol packet-filter was enabled, so the controlling function of security policies for BGP packets, LDP packets, BFD packets and OSPF unicast packets was enabled.
After checking the configuration of security-policy, there is no rule to permit ospf unicast traffic from the switch to USG6370. So OSPF neighbor relationship could not be established. But why the ospf worked normally before needed more analysis.
Step 3 Analyze the logs.
From the history operation logs, when OSPF process was created, the default security-policy was “permit”. But it was modified to “deny” at 2016.08.01 20:27:46. As OSPF neighbor has established to FULL, the security-policy (deny) would not affect OSPF neighbor establishment. So the OSPF worked normally before, but once if the OSPF neighbor relationship broke down between USG6370 and the switch, it can’t become FULL.
Checked the logs, we found that the interface 1/0/2 of USG6370 and interface 3/0/42 of the switch became down for several minutes. So the OSPF neighbor relationship broke down at that time. Even after the interface became up, the OSPF could not work because of the security-policy.
Step 4 Disable the basic protocol packet-filter function.
After we disabled the basic protocol packet-filter function, the OSPF worked.
The security-policy of USG6370 denied the OSPF traffic from the switch to USG6370, which caused the OSPF could not work.
Disable the basic protocol packet-filter function(undo firewall packet-filter basic-protocol enable), or permit the OSPF traffic between USG6370 and the switch.