F5 appliances failing to establish OSPF with attached devices
Hi all, there is a little known 'feature' in the underlying Linux OS that has a hard limit of 20 network statements. If you go beyond 20, the additional networks will not be advertised in OSPF. I hit this limit after migrating services to my Big-IP. It took F5 support a while to find the cause as the feature isn’t widely known within F5 despite been over 10 years old. My workaround was to super-net a number of /24 subnets into /20, /21 statements which brought me back under the limit of 20 networks (conf t network statements in imish). If this isn’t possible you need to change the net.ipv4.igmp_max_memberships configuration & restart the OSPF process sysctl net.ipv4.igmp_max_memberships=25 zebos -r 0 cmd clear ip ospf process show ip ospf neighbor Above I am setting the hard limit to 25 networks & restarting the OSPF process. Note, adding with sysctl should allow the setting to survive a restart/upgrade – omit it & the increase will not survive a reboot. Showing the neighborships will now show expected results for the missing networks (statements 21-25)335Views0likes4CommentsOSPF on F5 "Can't setsockopt IP_MULTICAST_IF"
Hi all, I'm trying to setup a OSPF relation between a Juniper SRX and F5(VM). SRX config is the following configured(some part out cut out, like policies, all is permited): routing-options { router-id 192.168.203.1; protocols { ospf { area 0.0.0.0 { interface ge-0/0/15.1203 { neighbor 192.168.203.203; }}}} security-zone TEST { address-book { address NET_192.168.203.0 192.168.203.0/24; } host-inbound-traffic { system-services { ntp; dns; ping; all; } protocols { ospf; all; interfaces { ge-0/0/15.1203 { host-inbound-traffic { system-services { bootp; ping; dns; ntp; } protocols { ospf; } }}}} On the F5 i've created the following: Create Partition PD_1 Create Route-Domain RD_1. This is also the Default for PD_1 and also the Path for this route domain is PD_1 Vlan1203 created and its partition is on PD_1 and Tag is 1203, interface is 1.1 Untagged. On the RD_1 i've added vlan1203 on it with ospfv2 on it Create Self IP. IP is int he /24 with VLAN1203 and partition is PD_1, portlockdown is allow all, non-floating The config for the RD_1 is the following: baba.nl[1]sh run ! no service password-encryption ! log file /var/log/zebos.log ! interface lo ! interface /PD_1/VLAN1203 ip ospf network point-to-multipoint also tried this to be NBMA, broadcast, p2p ip ospf hello-interval 3 ip ospf dead-interval 3 ip ospf priority 0 ! router ospf 199 ospf router-id 192.168.41.103 redistribute kernel network 192.168.202.0 0.0.0.255 area 0.0.0.0 network 192.168.203.0 0.0.0.255 area 0.0.0.0 ! line con 0 login line vty 0 39 login ! end What I even try, i Always get the following errors: 2016/07/12 02:00:20 informational: OSPF Instance Id [199]: LSA[Refresh]: timer expired 2016/07/12 02:00:22 informational: OSPF Instance Id [199]: IFSM[/PD_1/VLAN1203:192.168.203.203]: Hello timer expire 2016/07/12 02:00:22 warnings: OSPF Instance Id [199]: OS[/PD_1/VLAN1203:192.168.203.203]: Can't setsockopt IP_MULTICAST_IF: Cannot assign requested address How can I get the OSPF work? root@(baba)(cfg-sync Standalone)(Active)(/Common)(tmos) show sys version Sys::Version Main Package Product BIG-IP Version 12.0.0 Build 1.0.628 Edition Hotfix HF1 Date Mon Jan 11 09:43:58 PST 2016Solved499Views0likes1CommentOSPF warnings on F5 BIG-IP 11.4.1
Hello, I have an issue with F5 BIG-IP LTM 11.4.1. I am getting numerous warning messages from OSPF process in logs. OSPF seems to work fine, but I don't know what these messages mean. Should I ignore them? Their OSPF neighbors are Cisco Catalyst 4900 switches. Please give me a clue. Thank you! Tue Feb 11 04:15:43 MSK 2014 warning m1-rt-f5-1 OSPF[12267] OSPF: AgentX: process_packet, unhandled PDU, Operational state Tue Feb 11 04:15:43 MSK 2014 warning m1-rt-f5-1 OSPF[12267] OSPF: AgentX: process_packet (Operational state), Response-PDU, 78966:78965 Tue Feb 11 04:15:43 MSK 2014 warning m1-rt-f5-1 OSPF[12267] OSPF: AgentX: requested pdu : 1 Tue Feb 11 04:15:43 MSK 2014 warning m1-rt-f5-1 OSPF[12267] OSPF: AgentX: process_packet, unhandled PDU, Operational state Tue Feb 11 04:21:57 MSK 2014 warning m1-rt-f5-1 OSPF[12267] OSPF: AgentX: process_packet (Operational state), Response-PDU, 78995:78994 Tue Feb 11 04:21:57 MSK 2014 warning m1-rt-f5-1 OSPF[12267] OSPF: AgentX: requested pdu : 1 Tue Feb 11 04:21:57 MSK 2014 warning m1-rt-f5-1 OSPF[12267] OSPF: AgentX: process_packet, unhandled PDU, operational state Tue Feb 11 04:28:07 MSK 2014 warning m1-rt-f5-1 OSPF[12267] OSPF: AgentX: process_packet (Operational state), Response-PDU, 79025:79021 Tue Feb 11 04:28:07 MSK 2014 warning m1-rt-f5-1 OSPF[12267] OSPF: AgentX: requested pdu : 1 Tue Feb 11 04:28:07 MSK 2014 warning m1-rt-f5-1 OSPF[12267] OSPF: AgentX: process_packet, unhandled PDU, Operational state Tue Feb 11 04:28:07 MSK 2014 warning m1-rt-f5-1 OSPF[12267] OSPF: AgentX: process_packet (Operational state), Response-PDU, 79025:79022 Tue Feb 11 04:28:07 MSK 2014 warning m1-rt-f5-1 OSPF[12267] OSPF: AgentX: requested pdu : 1571Views0likes5CommentsDefault Route into OSPF
I am unable to advertise a default route 0.0.0.0/0 from the F5 into ospf. I have an F5 VE running 12.1.1 on KVM-QEMU. IMI is running and I have neighbor relationships with the appropriate routers. All other routes that I test are added without issues, but I do not see the 0.0.0.0/0 route being advertised into ospf. MY ZebOS config: [root@F5-INTERNET-01:Active:In Sync] config cat zebos/rd0/ZebOS.conf ! no service password-encryption ! interface lo ! interface tmm ! interface Core ip ospf priority 0 ip ospf mtu-ignore ! interface Internet ! router ospf ospf router-id 10.246.3.250 redistribute kernel passive-interface Internet network 10.246.3.0 0.0.0.255 area 0.0.0.0 ! line con 0 login line vty 0 39 login ! end Here is the LTM Configuration: ltm virtual /Common/Test { destination /Common/0.0.0.0:0 ip-protocol tcp mask any profiles { /Common/fastL4 { } } source 0.0.0.0/0 translate-address enabled translate-port disabled } ltm virtual /Common/test2 { destination /Common/10.10.10.1:80 ip-protocol tcp mask 255.255.255.255 profiles { /Common/tcp { } } source 0.0.0.0/0 translate-address enabled translate-port enabled } ltm virtual /Common/test3 { destination /Common/20.20.20.0:0 ip-protocol tcp mask 255.255.255.0 profiles { /Common/tcp { } } source 0.0.0.0/0 translate-address enabled translate-port disabled } ltm virtual-address /Common/0.0.0.0 { address any arp disabled icmp-echo disabled mask any route-advertisement enabled server-scope none traffic-group /Common/traffic-group-1 } ltm virtual-address /Common/10.10.10.1 { address 10.10.10.1 arp enabled icmp-echo enabled mask 255.255.255.255 route-advertisement enabled server-scope none traffic-group /Common/traffic-group-1 } ltm virtual-address /Common/20.20.20.0 { address 20.20.20.0 arp disabled icmp-echo disabled mask 255.255.255.0 route-advertisement enabled server-scope none traffic-group /Common/traffic-group-1 } What is the issue?501Views0likes1CommentMultiples Route Domain with OSPF
Hi everyone, We're trying to redistribute 3 differents DNS Listener via OSPF with Multiples Route Domain in a lab environment, in this case "DNS Listener 0" is working with RD0, "DNS Listener 1" with RD1 and "DNS Listener 2" with RD2 but every RD is working with OSPF. We got ARM licensed and each one of the IMI Shell is redistributing his respective Kernel Adress. The RD0 has adyancency with the Router that is directly connected with the F5 BIG-IP, but neither RD1 and RD2 has. We tried with differents OSPF process and areas with no luck whatsoever. It is necessary to do an additional configuration in the F5 BIG-IP? Or this is a problem related to Networking? Here's a "sh run" command of the IMI Shell of RD2: no service password-encryption ! interface lo ! interface /Resolver-IT/VLAN40 ip ospf network non-broadcast ip ospf cost 1 ! router ospf 2 redistribute kernel network 40.0.0.0 0.0.0.255 area 0 neighbor 40.0.0.1 !446Views0likes2CommentsOSPF stuck in Exstart
Hello, I am facing an issue with enabling OSPF between a Cisco Router and F5 LTM. The OSPF adjacency process is getting stuck at exstart phase. This is how my toplogy looks like: Cisco Router<-------Cisco L2 Switch------->F5 LTM LTM-01[2]>show ip os neighbor OSPF process 26: Neighbor ID Pri State Dead Time Address Interface 10.10.26.9 1 ExStart/Backup 00:00:37 172.16.207.2 /Inbound 10.10.26.10 1 ExStart/DROther 00:00:34 172.16.207.3 /Inbound LTM-01[2]> From debug in Cisco Router: 863027: Aug 7 11:37:12.920 PDT: OSPF-26 ADJ Gi0/1: Send DBD to 172.16.207.254 seq 0x238E opt 0x52 flag 0x7 len 32 863028: Aug 7 11:37:12.920 PDT: OSPF-26 ADJ Gi0/1: Retransmitting DBD to 172.16.207.254 [8] Here I can see that the router is actively sending DBD packets to F5, but no reply back. All the device are running interface MTU of 1500 bytes. I am not sure how to debug OSPF in F5 device. Any help would be appreciated!1.1KViews0likes3CommentsBIG-IP OSPF with Palo Alto
I have 2 BIG-IP 2200s units in an active/standby pair. Both of them OSPF peer with a Palo Alto 3060 failover pair. Whenever there is a topology change, such as a failover of the Palo Alto - I cannot get a full adjacency to establish between the Palo Alto and either of the F5s. It is stuck in the "exchange" state. Packet capture shows hellos being exchanged normally. The Palo Alto is repeatedly sending its Database Descriptor to the F5s, but not the other way around. The issue is resolved when I clear the OSPF process on the F5s. The F5 finally sends its Database Descriptor to the Palo Alto and I get full adjacency at that point. However if there is a real failover event on the firewalls, this would effectively bring our network down until someone can manually intervene. BIG-IP version: 11.5.4 HF2 Palo Alto version: 6.1.14 Anyone ever see this issue? It looks like a bug to me.283Views0likes1CommentOSPF - F5 Equivalent to Non Stop Routing
I'm running OSPF between a Juniper and a PAN. When I reboot a box, either the PAN or the F5, the routes immediately timeout however the peer relationship stays. As a result if the box is the DR the routes do not reappear until the peer relationship drops off. How can I avoid this? On the SRX this is non stop routing, is there an equivalent on the F5? OSPF configuration is straight forward with basic network statements and area 0.0.0.0. I have considered BFD however that is a bigger architectural change throughout the network. Thank you.189Views0likes0Commentsredestribute Virtual Server IP in a HA Pair using OSPF
Hello Experts, I have a HA Pair of BIG IP LTMs. I want to be able to re-destribute the Virtual Server IPs to the upstream router only from the Active F5 box in the HA Pair. please note that the virtual server sits in a separate subnet than the F5 interfaces/self-ips etc. so i need the active and the standby F5 to peer with the upstream routers, and at any point in time, only the active F5 box will be sending Virtual Server IP addresses to the upstream routers. How do I achieve this ? Many thanks Bhav239Views0likes1Commentis it possible to have virtual servers in a different subnet than that of the interface on the F5 ?
Hi All, is it possible to have virtual servers in a different subnet than that of the interface on the F5 ? i want to be able to peer to the upstream router with the F5s interface IP using OSPF. I want to be able to advertise the virtual server ip addresses using ospf to the upstream router. There is a requirement to use a different IP subnet than that of the F5 interface. is this possible ? so that for all virtual server IP addresses, the upstream router has a route to the F5 interface ip address. thanks Bhav259Views0likes1Comment