[nsp] OSPF between Nokia Checkpoint FW and GSR Version
12.0(25.4)S1
Enno Rey
erey at ernw.de
Wed Jul 30 17:49:07 EDT 2003
Hi,
announcing the LLS capability is not done via an option but by adding extra 12 bytes at the end of the hello packet.
So I'm not sure if the Nokia's behaviour is not RFC 2328 compliant... or just checking the packet's length (=> integrity?) scrupulously...
btw: ethereal does not display or interpret those 12 bytes neither
thanks,
Enno
On Wed, Jul 23, 2003 at 11:07:06AM -0700, Siva Valliappan wrote:
> Hi Enno,
>
> in this case the Nokia device is not RFC2328 compliant:
>
>
> FC2328 A.2:
> Five bits of the OSPF Options field have been assigned, although
> only one (the E-bit) is described completely by this memo. Each bit
> is described briefly below. Routers should reset (i.e. clear)
> unrecognized bits in the Options field when sending Hello packets or
> Database Description packets and when originating LSAs. Conversely,
> routers encountering unrecognized Option bits in received Hello
> Packets, Database Description packets or LSAs should ignore the
> capability and process the packet/LSA normally.
> +------------------------------------+
> | * | * | DC | EA | N/P | MC | E | * |
> +------------------------------------+
>
> The Options field
>
>
> the disadvantage of turning this off on a per process basis disables LLS
> for all neighbors.
>
> CSCea87697 will provide you with the capability to turn this on / off
> on a neighbor basis which will allow you to interoperate with non-RFC
> compliant devices without breaking LLS for other devices.
>
> cheers
> siva
> On Wed, 23 Jul 2003, Enno Rey wrote:
>
> > Hi,
> >
> > you should config
> >
> > "no capability lls" on the ospf process.
> > The latest IOS versions enable this feature (see cco for details on it) by default... I spent half a night troubleshooting until I found (rather by coincidence) Nokia KB 16909...
> >
> > With lls enabled they never leave init state due to kind of packet size mismatch on the nokia (you can see this in monitor - ospf - errors).
> > I'll enclose the mentioned article below.
> >
> > Thanks,
> >
> > --
> > Enno Rey
> >
> > ERNW Enno Rey Netzwerke GmbH - Zaehringerstr. 46 - 69115 Heidelberg
> > Tel. +49 6221 480390 - Fax 6221 419008 - Mobil +49 173 6745902
> > www.ernw.de - PGP E5CB 9505 EA06 6380 6F12 DE3E 624E 1334 326B B70C
> >
> > ----
> > Resolution 16909: OSPF IO: x.x.x.x->224.0.0.5: packet length 64 disagrees with header field 52
> >
> > Subject: OSPF IO: x.x.x.x->224.0.0.5: packet length 64 disagrees with header field 52
> > Product Line: IPSO (Operating System)
> > Category: OSPF
> > Version: All
> > Date Modified: 06/19/2003
> >
> > Description: OSPF is a link-state intra-domain routing protocol used in IP networks. OSPF routers exchange information on a link using packets
> > +that follow a well-defined format. The format of OSPF packets is not flexible enough to enable applications exchange arbitrary data, which
> > +may be necessary in certain situations. Link-Local Signaling is a vendor specific, backward-compatible technique to exchange arbitrary data
> > +on a link.
> >
> > To perform Link-Local signaling (LLS), OSPF routers add a special data block at the end of OSPF packets or right after the authentication data
> > +block when cryptographic authentication is used. The length of the LLS-block is not included into the length of OSPF packet, but is included
> > +in the IP packet length.
> >
> > This error may show up when implementing OSPF with a Cisco router that has LLS enabled.
> >
> > Solution: Currently IPSO does not support Link-Local Signaling. A Request for Enhancement (RFE) has been filed with engineering to include
> > +Link-Local Signaling support within IPSO's OSPF implementation.
> >
> > Some other vendors now support Link-Local Signaling such as Cisco in IOS 12.3. However in order for OSPF to work between a Nokia and another
> > +vendor's equipment that supports this feature, Link Local Signaling must be turned OFF on the other unit, primarily since IPSO does not
> > +support this LSS. The command to do this, on the Cisco router, is under "router ospf", enter the "no capabilities lls" command.
> >
> > Failure to turn off Link- Local Signaling will cause the OSPF not to establish itself.
> >
> >
> >
> >
> >
> > On Wed, Jul 23, 2003 at 10:36:05AM +0200, Jan Olsson wrote:
> > >
> > > Hi
> > >
> > > This morning I upgraded one of my GSR to IOS ver 12.0(25.4)S1
> > > Have been running OSPF to a Nokia Checkpoint Firewall NG FP3 (on a Nokia
> > > IPSO 3.7 build 23) for years on previus IOS versions on a FastEthernet
> > > port. Since the upgrade it dosn't work
> > >
> > > Only goes to init state ;-(
> > >
> > > Does anybody have a clue
> > >
> > > Neighbor ID Pri State Dead Time Address
> > > Interface
> > > xxx.xxx.xx.xx 1 INIT/DROTHER 00:00:37 xxx.xxx.xx.xx
> > > FastEthernet3/3
> > >
> > >
> > > --
> > >
> > > /Jan
> > >
> > > Tele2 A/S - UNI2
> > >
> > > AS5492: Tele2 A/S AS5491: Olsson(dot)net
> > > URL : http://www.uni2.dk/ Phone: (+45) 77301200
> > >
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> >
> > --
> > Enno Rey
> >
> > ERNW Enno Rey Netzwerke GmbH - Zaehringerstr. 46 - 69115 Heidelberg
> > Tel. +49 6221 480390 - Fax 6221 419008 - Mobil +49 173 6745902
> > www.ernw.de - PGP E5CB 9505 EA06 6380 6F12 DE3E 624E 1334 326B B70C
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
--
Enno Rey
ERNW Enno Rey Netzwerke GmbH - Zaehringerstr. 46 - 69115 Heidelberg
Tel. +49 6221 480390 - Fax 6221 419008 - Mobil +49 173 6745902
www.ernw.de - PGP E5CB 9505 EA06 6380 6F12 DE3E 624E 1334 326B B70C
More information about the cisco-nsp
mailing list