How to Determine a Type-5 OSPF Route Being Flushed from Link State Database
Symptom
- Under normal circumstances, every Link State Advertisement (LSA) in the link-state database is updated at least once every 30 minutes.
- If an LSA has not been updated after an hour, it is assumed to be no longer valid and is removed from the database.
- The LS Age field in the LSA header indicates the length of time since the LSA was last updated.
- If the age of an LSA reached 30 minutes, the originating router will refresh the LSA by flooding a new instance of the LSA., incrementing the LS sequence number and setting the LS age to 0 again.
- If the originating router has failed or the route itself is deleted, the age of the LSA continues to increase until the value of MaxAge (1 hour) is reached.
- At that time, the LSA is deleted from the database, as 3600 seconds is the maximum value that the LS Age field can attain.
- To ensure that all routers remove the LSA at around the same time and without depending on a synchronized clock, the LSA is re-flooded.
- All other routers will then remove their database copies on seeing the MaxAge LSA being flooded.
- This document explains how to determine when a re-distributed route into OSPF is getting deleted from a link state database.
Environment
- Palo Alto Firewall.
- Supported PAN-OS.
- OSPF configured.
Resolution
In an example scenario, the Palo Alto Networks firewall has formed an adjacency with a Cisco router (router id: 134.141.107.1) on the eth1/2 interface.
The Palo Alto Networks eth1/2 IP address is 134.141.102.65 and the Cisco router IP address is 134.141.102.66 on the same network.
The Cisco router redistributes the 134.141.76.0/24 static route into OSPF and the firewall updates this route in its LSDB as a type 5 external route.
> show routing protocol ospf lsdb
VIRTUAL ROUTER: default (id 1)
==============================
VR Area ID Orig RTR ID LS ID LSA Type Seq Number CheckSum Age Size
1 0.0.0.0 134.141.102.65 134.141.102.65 type-1 (Router) 0x80000001 0x0000366C 907 36
1 0.0.0.0 134.141.102.66 134.141.102.66 type-1 (Router) 0x80000002 0x0000696F 797 36
1 134.141.107.1 134.141.76.0/24 type-5 (External) 0x80000061 0x0000F2EA 1721
> show routing protocol ospf dumplsdb
VIRTUAL ROUTER: default (id 1)
==============================
VR Area ID Orig RTR ID LS ID LSA Type Seq Number CheckSum Age Size
1 0.0.0.0 134.141.102.65 134.141.102.65 type-1 (Router) 0x80000001 0x0000366C 1361 36
Options: [External]
Router LSA Options: [ASBR]
Stub Network: 10.66.24.0 Netmask 255.255.254.0, tos 0, metric: 10
1 0.0.0.0 134.141.102.66 134.141.102.66 type-1 (Router) 0x80000002 0x0000696F 1251 36
Options: [External]
Router LSA Options: [ASBR]
Transit Network: DR (IP: 10.66.24.22) on Interface 10.66.24.70, tos 0, metric: 10
1 134.141.107.1 134.141.76.0/24 type-5 (External) 0x80000001 0x0000FD29 209
Options: [External]
Mask 255.255.255.255, type 2, tos 0 metric: 1, forward 0.0.0.0, tag 0.0.0.0
When this route is deleted from the Cisco router, the Cisco router updates this LSA with the LS age of 3600, to inform its peers to flush this route from the database
> show routing protocol ospf lsdb | match 134.141.76.0
VIRTUAL ROUTER: default (id 1)
==============================
VR Area ID Orig RTR ID LS ID LSA Type Seq Number CheckSum Age Size
1 134.141.107.1 134.141.76.0/24 type-5 (External) 0x80000061 0x0000F2EA 3600
> show routing protocol ospf dumplsdb | match 134.141.76.0
VIRTUAL ROUTER: default (id 1)
==============================
VR Area ID Orig RTR ID LS ID LSA Type Seq Number CheckSum Age Size
1 134.141.107.1 134.141.76.0/24 type-5 (External) 0x80000001 0x0000FD29 3600
Options: [External]
Mask 255.255.255.255, type 2, tos 0 metric: 1, forward 0.0.0.0, tag 0.0.0.0
Note: The output of any command with "match" will only display the lines matching the value. The output given above is to show the associated information. In reality the command displays the line as below
1 134.141.107.1 134.141.76.0/24 type-5 (External) 0x80000061 0x0000F2EA 3600
When the LSA is flooded to peers they update the database by removing the route since the max age has reached.
Additional Information
The same information can viewed through packet capture while debugging: