Why Are OSPF Sessions in CLI Unable to be Seen?
33083
Created On 04/22/19 04:23 AM - Last Modified 04/24/19 16:21 PM
Question
Why can't I see OSPF firewall sessions in CLI even though OSPF adjacency and neighborship is established and the OSPF neighbors are exchanging routes?
Answer
Palo Alto Networks firewalls do not cause a session to be setup for OSPF multicast packets. OSPF sessions are created only for OSPF unicast packets provided there is an allowed firewall security rule (i.e., OSPF packets that have unicast IP addresses in the destination IP address field).
In general, there are five types of OSPF packets:
1) OSPF Hello Packet
2) OSPF Database Description Packet
3) OSPF Link State Request Packet
4) OSPF Link State Update Packet
5) OSPF Link State Acknowledgement Packet
During the initial OSPF link state database exchange state, OSPF packet Type 2 "Database Description" is used, which is a unicast packet to exchange link state information. OSPF packet Type 3 "Link State Request" and packet Type 4 "Link State Update" to exchange link state information may also use unicast packets. So Palo Alto Networks firewalls creates an OSPF session for such OSPF unicast packets.
For example, an OSPF adjacency and neighborship is established between two devices using IPs 10.20.10.11 and 10.20.10.12.
As shown in the packet capture snippet below, DB Description, LS Request, and LS Update packets use unicast IP addresses.
A corresponding OSPF session (created for OSPF unicast packets) is seen in CLI as shown below:
admin@Lab> show session all filter application ospf
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
160069 ospf ACTIVE FLOW 10.20.10.11[20033]/L3-Lab-OSPF-Zone/89 (10.20.10.11[20033])
vsys1 10.20.10.12[20033]/L3-Lab-OSPF-Zone (10.20.10.12[20033])
admin@Lab> show session id 160069
Session 160069
c2s flow:
source: 10.20.10.11 [L3-Lab-OSPF-Zone]
dst: 10.20.10.12
proto: 89
sport: 20033 dport: 20033
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 10.20.10.12 [L3-Lab-OSPF-Zone]
dst: 10.20.10.11
proto: 89
sport: 20033 dport: 20033
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Tue Apr 9 15:15:40 2019
timeout : 30 sec
time to live : 22 sec
total byte count(c2s) : 386
total byte count(s2c) : 320
layer7 packet count(c2s) : 5
layer7 packet count(s2c) : 4
vsys : vsys1
application : ospf
rule : Lab-Any
service timeout override(index) : False
session to be logged at end : True
session in session ager : True
session updated by HA peer : False
layer7 processing : completed
URL filtering enabled : False
session via syn-cookies : False
session terminated on host : True
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/7
egress interface : ethernet1/7
session QoS rule : N/A (class 4)
tracker stage l7proc : ctd app has no decoder
end-reason : unknown
This OSPF session expires after the initial link state database exchange state.
admin@Lab> show session id 160069
Session 160069
c2s flow:
source: 10.20.10.11 [L3-Lab-OSPF-Zone]
dst: 10.20.10.12
proto: 89
sport: 20033 dport: 20033
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 10.20.10.12 [L3-Lab-OSPF-Zone]
dst: 10.20.10.11
proto: 89
sport: 20033 dport: 20033
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Tue Apr 9 15:15:40 2019
timeout : 30 sec
time to live : 0 sec (expired) <<=====
total byte count(c2s) : 386
total byte count(s2c) : 320
layer7 packet count(c2s) : 5
layer7 packet count(s2c) : 4
vsys : vsys1
application : ospf
rule : Lab-Any
service timeout override(index) : False
session to be logged at end : True
session in session ager : True
session updated by HA peer : False
layer7 processing : completed
URL filtering enabled : False
session via syn-cookies : False
session terminated on host : True
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/7
egress interface : ethernet1/7
session QoS rule : N/A (class 4)
tracker stage l7proc : ctd app has no decoder
end-reason : unknown
Further OSPF packets such as LS Update, LS Acknowledgement, and Hello packets may continue to be exchanged between the OSPF neighbors, but sessions will not be setup for these packets since they are OSPF multicast packets.
To check the OSPF neighbor state via CLI, use the following CLI command:
admin@Lab> show routing protocol ospf neighbor
Options: 0x80:reserved, O:Opaq-LSA capability, DC:demand circuits, EA:Ext-Attr LSA capability,
N/P:NSSA option, MC:multicase, E:AS external LSA capability, T:TOS capability
==========
virtual router: default
neighbor address: 10.20.10.12
local address binding: 0.0.0.0
type: dynamic
status: full <<=====
neighbor router ID: 12.12.12.12
area id: 0.0.0.0
neighbor priority: 1
lifetime remain: 30
messages pending: 0
LSA request pending: 0
options: 0x42: O E
hello suppressed: no
restart helper status: not helping
restart helper time remaining: 0
restart helper exit reason: none