VMware Networking Community
intermax
Contributor
Contributor
‎03-31-2017 06:09 AM

(OSPF) Edge won't neighbor with DLR unless firewall is off.

Hello everybody,

After a reboot of my test environment the OSPF relationship between my Edge and LR has stopped working.

When I turn off the firewall on the Edge appliance the neigboring works. This is strange as the defaul rule for the firewall is accept all.

When the firewall is enabled the Edge sees the LR in Init/DRother mode, leading me to believe the OSPF traffic from the Edge is never leaving the appliance VM (perhaps because of some hidden egress firewall?)

Last time i solved it by redeploying the VM but that isn't really sustainable.

Has anyone seen this before and maybe found a solution?

Greetings,

Wessel Blokzijl

0 Kudos
6 Replies
Sreec
VMware Employee
VMware Employee
‎04-02-2017 12:48 PM

Haven't observed this behavior.However there is nothing like hidden firewall in Edge/DLR. What components got rebooted ? VC/ESXI/NSX Manager, Edges ?  By any chance did you changed the default Hello/Dead interval for OSPF ? auto rule generation is enabled ?  debug packet capture is required on both Edge&DLR to confirm the real problem .  Can't easily say the problem just by observing the behavior ,including the redeployment what you performed.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
0 Kudos
rajeevsrikant
Expert
Expert
‎04-02-2017 05:59 PM

What version of NSX are you running in your environment ?

0 Kudos
intermax
Contributor
Contributor
‎04-03-2017 01:40 AM

I'm running 6.3.0

0 Kudos
intermax
Contributor
Contributor
‎04-03-2017 01:48 AM

Neither of these posts solved the Issue. The peering works when the edge firewall is disabled.

0 Kudos
intermax
Contributor
Contributor
‎04-03-2017 01:51 AM

Everything got rebooted, all the nodes, the vcenter, nsx manager, all the VMs.

I didn't change the hello or dead timers.

Here is the firewall config:

show firewall

Edge-test-0> sh firewall

Chain PREROUTING (policy ACCEPT 564 packets, 58370 bytes)

rid    pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

rid    pkts bytes target     prot opt in     out     source               destination

0       144 26697 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

0         0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID

0       185 15188 block_in   all  --  *      *       0.0.0.0/0            0.0.0.0/0

0       109 10260 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

0        76  4928 usr_rules  all  --  *      *       0.0.0.0/0            0.0.0.0/0

0         0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

rid    pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 316 packets, 43354 bytes)

rid    pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

rid    pkts bytes target     prot opt in     out     source               destination

0       144 26697 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0

0         0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID

0       172 16657 block_out  all  --  *      *       0.0.0.0/0            0.0.0.0/0

0         0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap0 --physdev-out vNic_+

0         0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in vNic_+ --physdev-out tap0

0         0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in na+ --physdev-out vNic_+

0         0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in vNic_+ --physdev-out na+

0        97 11525 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

0        75  5132 usr_rules  all  --  *      *       0.0.0.0/0            0.0.0.0/0

0         0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain block_in (1 references)

rid    pkts bytes target     prot opt in     out     source               destination

Chain block_out (1 references)

rid    pkts bytes target     prot opt in     out     source               destination

Chain usr_rules (2 references)

rid    pkts bytes target     prot opt in     out     source               destination

131075   147  9756 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set 0_131075-ov-v4-0 dst

133124     2   168 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set 1_133124-os-v4-0 src

131073     2   136 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

0 Kudos