OSPF Issue dead timer expiring

xciter327 · Dec 10, 2015, 4:12 PM

pfsense version 2.2.5 64-bit

Setup:
One Cisco L3 Switch connected via a /30 to a virtualized pfsense box. So far everything but OSPF works fine.

Cisco L3 Switch <====area x.x.x.x/30(not area 0)====> pfsense WAN < ==== other networks which are announced in ospf ====>

After configuration, the relationship establishes and Cisco Switch becomes DR and the pfsense BDR. Routing information is exchanged and hosts behind pfsense are ping-able from remote location. All is well.

The issue is as follows:

1. The first and the second LSA after the above seem to reach the pfsense and the dead time is reset back to 40 seconds.
2. After its been about a minute, pfsense behaves as if there are no more LSA received.
3. Dead timer expires, and the neighbour ¨times-out¨ and the relationship goes down.
4. Immediately after that it is re-established.

This occurs on a average interval of 1minute 40 seconds. I have double-checked the ofps timers and both are standard Cisco. The only thing not identical is the SPF Hold Time and SPF Delay.

Please advise.

![Interfaces Settings WAN.png](/public/imported_attachments/1/Interfaces Settings WAN.png)
![Interfaces Settings WAN.png_thumb](/public/imported_attachments/1/Interfaces Settings WAN.png_thumb)
![global settings.png](/public/imported_attachments/1/global settings.png)
![global settings.png_thumb](/public/imported_attachments/1/global settings.png_thumb)

heper · Dec 10, 2015, 1:40 PM

i've noticed before that all "timers" need to be identical on both ends for it to work nicely (for whatever reason)

i've only used ospf between pfsense boxes, so most of the time, the default just work

xciter327 · Dec 10, 2015, 3:40 PM

The timers that are supposed to be equal by ospf are ¨Hello, retransmit and dead¨.

Anyway on the Cisco devices ¨SPF hold timer¨ max and min is configure to 10000ms. pfsense does not allow me to increase that beyon 5000ms.

Cisco default configuration:
show ip ospf:
Initial SPF schedule delay 5000 msecs
Minimum hold time between two consecutive SPFs 10000 msecs
Maximum wait time between two consecutive SPFs 10000 msecs

sh ip ospf interface xxx(in seconds):
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

xciter327 · Dec 10, 2015, 3:57 PM

I any case. I made the timer the same via the raw configuration panel. No change. Still dropping the 3-rd LSA(or not acting on it).

Also in the /Services/Quagga ospfd/Global settings:

It says the value is in miliseconds, but only allows a value up to 5 which is way too short. Acceptable values are between 1 and 10 seconds.

P.S. - Installed pfsense on a physical device(not a VM) and got absolutely the same problem.

xciter327 · Dec 11, 2015, 12:23 PM

I have tried increasing the dead window. With 60 seconds, 120 seconds and 300 seconds the relationship still expires.

The allow rules for firewalls configuration were ospf, ospf with allowed options and allow anything with options. In my opinion there should be nothing blocking ospf LSA in the firewall configuration.

xciter327 · Dec 11, 2015, 1:17 PM

So this has been resolved.

!! The rule that you would enter to allow OSPF traffic, HAS to be a floating rule. !!

Otherwise for some reason everything after the 3rd LSA(hello packet) is blocked. I would consider this a bug