组网及说明
L1000下联两台华为设备,呈三角形组网
问题描述
三台设备两两建立ospf邻居,发现我司设备与华为设备卡在exstart阶段无法建立,华为两台设备之间正常建立
过程分析
从ospf邻居状态来看,P2P模式没有DR的选举,EXSTART报文处于DD报文交互,建立2-WAY邻居后发现DD报文,交互成功进入下一阶段
目前卡在EXSTART怀疑DD报文交互存在问题
一般DD报文交互异常怀疑MTU两边协商不一致,我司默认为0不进行协商,查看华为DD报文也是为0,排除MTU因素
进一步在设备上debug发现
P2P方式时,在我方设备上debug查看只有send,没有receive
*Oct 13 00:12:58:110 2019 CSGD-H3C-LB OSPF/7/DEBUG: -COntext=1; OSPF 1: Sending packets.
*Oct 13 00:12:58:110 2019 CSGD-H3C-LB OSPF/7/DEBUG: -COntext=1; Source address: 172.28.1.1
*Oct 13 00:12:58:110 2019 CSGD-H3C-LB OSPF/7/DEBUG: -COntext=1; Destination address: 172.28.1.2
*Oct 13 00:12:58:110 2019 CSGD-H3C-LB OSPF/7/DEBUG: -COntext=1; Version 2, Type: 2, Length: 32.
*Oct 13 00:12:58:110 2019 CSGD-H3C-LB OSPF/7/DEBUG: -COntext=1; Router: 172.28.1.132, Area: 0.0.0.0, Checksum: 19532.
*Oct 13 00:12:58:110 2019 CSGD-H3C-LB OSPF/7/DEBUG: -COntext=1; Authentication type: 00, Key(ASCII): 0 0 0 0 0 0 0 0.
*Oct 13 00:12:58:110 2019 CSGD-H3C-LB OSPF/7/DEBUG: -COntext=1; MTU: 0, Option: _E_, R_I_M_MS Bit: _I_M_MS_.
*Oct 13 00:12:58:110 2019 CSGD-H3C-LB OSPF/7/DEBUG: -COntext=1; DD Sequence number: 1ea.
查看发往224.0.0.5的两方报文,对端发的MTU也是0,但是我方没有收到单播过来的报文,华为侧debug和抓包反馈没有收到我方发过去的报文
*Oct 13 00:12:59:851 2019 CSGD-H3C-LB OSPF/7/DEBUG: -COntext=1; OSPF 1: Sending packets.
*Oct 13 00:12:59:851 2019 CSGD-H3C-LB OSPF/7/DEBUG: -COntext=1; Source address: 172.28.1.1
*Oct 13 00:12:59:851 2019 CSGD-H3C-LB OSPF/7/DEBUG: -COntext=1; Destination address: 224.0.0.5
*Oct 13 00:12:59:851 2019 CSGD-H3C-LB OSPF/7/DEBUG: -COntext=1; Version 2, Type: 1, Length: 48.
*Oct 13 00:12:59:851 2019 CSGD-H3C-LB OSPF/7/DEBUG: -COntext=1; Router: 172.28.1.132, Area: 0.0.0.0, Checksum: 41059.
*Oct 13 00:12:59:851 2019 CSGD-H3C-LB OSPF/7/DEBUG: -COntext=1; Authentication type: 00, Key(ASCII): 0 0 0 0 0 0 0 0.
*Oct 13 00:12:59:851 2019 CSGD-H3C-LB OSPF/7/DEBUG: -COntext=1; Network mask: 255.255.255.248, Hello interval: 10, Option: _E_.
*Oct 13 00:12:59:851 2019 CSGD-H3C-LB OSPF/7/DEBUG: -COntext=1; Router priority: 1, Dead Interval: 40, DR: 0.0.0.0, BDR: 0.0.0.0.
*Oct 13 00:12:59:851 2019 CSGD-H3C-LB OSPF/7/DEBUG: -COntext=1; Neighbor ID: 172.28.1.130.
*Oct 13 00:13:02:543 2019 CSGD-H3C-LB OSPF/7/DEBUG: -COntext=1; OSPF 1: Receiving packets.
*Oct 13 00:13:02:544 2019 CSGD-H3C-LB OSPF/7/DEBUG: -COntext=1; Source address: 172.28.1.2
*Oct 13 00:13:02:544 2019 CSGD-H3C-LB OSPF/7/DEBUG: -COntext=1; Destination address: 224.0.0.5
*Oct 13 00:13:02:544 2019 CSGD-H3C-LB OSPF/7/DEBUG: -COntext=1; Version 2, Type: 2, Length: 32.
*Oct 13 00:13:02:545 2019 CSGD-H3C-LB OSPF/7/DEBUG: -COntext=1; Router: 172.28.1.130, Area: 0.0.0.0, Checksum: 19017.
*Oct 13 00:13:02:545 2019 CSGD-H3C-LB OSPF/7/DEBUG: -COntext=1; Authentication type: 00, Key(ASCII): 0 0 0 0 0 0 0 0.
*Oct 13 00:13:02:545 2019 CSGD-H3C-LB OSPF/7/DEBUG: -COntext=1; MTU: 0, Option: _E_, R_I_M_MS Bit: _I_M_MS_.
*Oct 13 00:13:02:545 2019 CSGD-H3C-LB OSPF/7/DEBUG: -COntext=1; DD Sequence number: 3ef.
怀疑我司DD报文没有收到回复
从LB的抓包和debug分析,我司设备接口在P2P模式下,DD报文是以单播形式发送,但是华为防火墙上的实现机制是他们的DD报文是通过组播形式发送
我司设备的抓包,发出了hello报文之后也发送了DD报文(单播),也显示收到了对端的组播形式的DD报文。
但是从华为侧的debug信息查看,发现他们并没有收到我们发出的DBD报文:
*0.67154200 USG6600 RM/7/RMDEBUG:
*0.67155040 USG6600 RM/7/RMDEBUG:OSPF 10: RECV Packet.
*0.67155040 USG6600 RM/7/RMDEBUG: Source Address: 172.28.1.1
*0.67155040 USG6600 RM/7/RMDEBUG: Destination Address: 224.0.0.5
*0.67155040 USG6600 RM/7/RMDEBUG: Ver# 2, Type: 1 (Hello)
*0.67155040 USG6600 RM/7/RMDEBUG: Length: 48, Router: 172.28.1.132
*0.67155040 USG6600 RM/7/RMDEBUG: Area: 0.0.0.0, Chksum: a063
*0.67155040 USG6600 RM/7/RMDEBUG: AuType: 00
*0.67155040 USG6600 RM/7/RMDEBUG: Key(ascii): * * * * * * * *
*0.67155040 USG6600 RM/7/RMDEBUG: Net Mask: 255.255.255.248
*0.67155040 USG6600 RM/7/RMDEBUG: Hello Int: 10, Option: _E_
*0.67155040 USG6600 RM/7/RMDEBUG: Rtr Priority: 1, Dead Int: 40
*0.67155040 USG6600 RM/7/RMDEBUG: DR: 0.0.0.0
*0.67155040 USG6600 RM/7/RMDEBUG: BDR: 0.0.0.0
*0.67155040 USG6600 RM/7/RMDEBUG: # Attached Neighbors: 1
*0.67155040 USG6600 RM/7/RMDEBUG: Neighbor: 172.28.1.130
*0.67155040 USG6600 RM/7/RMDEBUG: Hello Extended Options: _
*0.67155040 USG6600 RM/7/RMDEBUG:
*0.67157880 USG6600 RM/7/RMDEBUG:OSPF 10: SEND Packet.
*0.67157880 USG6600 RM/7/RMDEBUG: Source Address: 172.28.1.2
*0.67157880 USG6600 RM/7/RMDEBUG: Destination Address: 224.0.0.5
*0.67157880 USG6600 RM/7/RMDEBUG: Ver# 2, Type: 2 (DB Description)
*0.67157880 USG6600 RM/7/RMDEBUG: Length: 32, Router: 172.28.1.130
*0.67157880 USG6600 RM/7/RMDEBUG: Area: 0.0.0.0, Chksum: 4a49
*0.67157880 USG6600 RM/7/RMDEBUG: AuType: 00
*0.67157880 USG6600 RM/7/RMDEBUG: Key(ascii): * * * * * * * *
*0.67157880 USG6600 RM/7/RMDEBUG: MTU: 0, Option: _E_
*0.67157880 USG6600 RM/7/RMDEBUG: I_M_MSBit: _I_M_MS_
*0.67157880 USG6600 RM/7/RMDEBUG: DD SeqNumber: 3ef
*0.67157880 USG6600 RM/7/RMDEBUG: # LSA Headers: 0
*0.67157880 USG6600 RM/7/RMDEBUG: DD Extended Options: _
*0.67157880 USG6600 RM/7/RMDEBUG:
查看华为侧的配置如下:
#
interface GigabitEthernet1/0/2
ip address 172.28.1.2 255.255.255.248
ospf network-type p2p
hrp track active
lldp enable
lldp tlv-enable basic-tlv all
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage telnet permit
anti-ddos flow-statistic enable
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
#
security-policy //策略没有放通untrust到local
default policy logging
rule name policy_sec
policy logging
session logging
source-zone trust
destination-zone untrust
profile av default
profile data-filter default
profile file-block default
profile ips ids
profile url-filter default
action permit
rule name policy2
source-zone untrust
destination-zone trust
profile av default
profile data-filter default
profile file-block default
profile ips ids
profile url-filter default
action permit
rule name policy1
source-zone trust
destination-zone local
destination-zone trust
action permit
rule name policy_local
policy logging
session logging
source-zone local
action permit
#
解决方法
华为侧放通后解决
该案例暂时没有网友评论
编辑评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作