OSPF graceful helper mode exited due to topology change

OSPF graceful helper mode exited due to topology change

16106
Created On 09/25/18 17:15 PM - Last Modified 06/12/23 22:26 PM


Symptom


Symptoms

Even though Palo Alto Networks firewall is configured in OSPF graceful helper mode, when the OSPF neighbor is down for a short period of time or is unavailable for short intervals, the firewall will exit from helper mode and resume normal operations with an error in system log: "Graceful helper mode exited due to Topology change".

Diagnosis

When an OSPF neighbor is down for a short period of time or is unavailable for short intervals, it sends grace LSAs (LSA type 9). Upon receiving grace LSAs, the firewall continues to manintain the OSPF adjency in full-state. However, in some cases even though the firewall is configured in OSPF graceful helper mode it will discard the graceful LSA, exit from helper mode, and resume normal operations.

 

There are many common reasons why the firewall is exiting from OSPF helper mode, but the most common reason is if there is a topology change.

Resolution


 

In certain network designs, you can safely ignore the network topology change during the failover event depending on how network traffic flows. For example, flaps on out-of-the-way interfaces do not impact network traffic flowing through the failed device.  So, in this scenario, we can prevent the firewall from exiting from OSPF Graceful helper mode.

 

To prevent the firewall from exiting from OSPF Graceful helper mode due to any topology change, we need to disable the "Strict LSA Checking" feature from the OSPF advanced settings.

 

Follow the below steps to disable 'Strict LSA Checking.'

 

Best practice

Take a close look at the impact of topology change in your network design before making this change because inappropriate changes will lead to inconsistent OSPF routing. 

 

From the GUI

  1. Go to Network > Virtual Routers.
  2. Select the appropriate Virtual Router > OSPF > Advanced > uncheck 'Strict LSA Checking.'
  3. Commit the changes.

 

Strict_LSA.png

 

From the CLI:

Firewall> configure

Entering configuration mode

[edit]

Firewall# set network virtual-router default protocol ospf graceful-restart strict-LSA-checking no

Firewall# commit
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClECCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language