为什么无法 OSPF 看到会话 CLI ?
33089
Created On 04/22/19 04:23 AM - Last Modified 03/26/21 17:38 PM
Question
I OSPF firewall CLI 为什么即使 OSPF 建立了邻邦和睦邻关系, OSPF 邻居们正在交换路线, 也看不到会议呢?
Answer
帕洛阿尔托网络防火墙不会导致为 OSPF 多播数据包设置会话。 OSPF 仅为 OSPF 单播数据包创建会话,前提是存在允许 firewall 的安全规则(即 OSPF IP 在目标地址字段中具有单播地址的包 IP )。
一般情况下,有五种类型的 OSPF 数据包
:1) OSPF 你好包
2) OSPF 数据库描述包
3) OSPF 链接状态请求包
4) OSPF 链接状态更新数据包
5) OSPF 链接状态确认包
在初始 OSPF 链接状态数据库交换状态中, OSPF 使用包类型 2 "数据库描述",这是一个单播数据包来交换链接状态信息。 OSPF 数据包类型 3"链接状态请求"和数据包类型 4"链接状态更新"以交换链接状态信息也可以使用单播数据包。因此,帕洛阿尔托网络防火墙 OSPF 为此类 OSPF 单播数据包创建会话。
例如,使用 OSPF IP 10.20.10.11 和 10.20.10.12 的两个设备之间建立了邻权和邻邦关系。
如下图所示, DB 描述、 LS 请求和 LS 更新数据包使用单播 IP 地址。
A OSPF 下文如下所示的相应会话(为 OSPF 单播数据包创建 CLI ):
admin@Lab> show session all filter application ospf
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
160069 ospf ACTIVE FLOW 10.20.10.11[20033]/L3-Lab-OSPF-Zone/89 (10.20.10.11[20033])
vsys1 10.20.10.12[20033]/L3-Lab-OSPF-Zone (10.20.10.12[20033])
admin@Lab> show session id 160069
Session 160069
c2s flow:
source: 10.20.10.11 [L3-Lab-OSPF-Zone]
dst: 10.20.10.12
proto: 89
sport: 20033 dport: 20033
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 10.20.10.12 [L3-Lab-OSPF-Zone]
dst: 10.20.10.11
proto: 89
sport: 20033 dport: 20033
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Tue Apr 9 15:15:40 2019
timeout : 30 sec
time to live : 22 sec
total byte count(c2s) : 386
total byte count(s2c) : 320
layer7 packet count(c2s) : 5
layer7 packet count(s2c) : 4
vsys : vsys1
application : ospf
rule : Lab-Any
service timeout override(index) : False
session to be logged at end : True
session in session ager : True
session updated by HA peer : False
layer7 processing : completed
URL filtering enabled : False
session via syn-cookies : False
session terminated on host : True
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/7
egress interface : ethernet1/7
session QoS rule : N/A (class 4)
tracker stage l7proc : ctd app has no decoder
end-reason : unknown此 OSPF 会话在初始链接状态数据库交换状态后过期。
admin@Lab> show session id 160069
Session 160069
c2s flow:
source: 10.20.10.11 [L3-Lab-OSPF-Zone]
dst: 10.20.10.12
proto: 89
sport: 20033 dport: 20033
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 10.20.10.12 [L3-Lab-OSPF-Zone]
dst: 10.20.10.11
proto: 89
sport: 20033 dport: 20033
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Tue Apr 9 15:15:40 2019
timeout : 30 sec
time to live : 0 sec (expired) <<=====
total byte count(c2s) : 386
total byte count(s2c) : 320
layer7 packet count(c2s) : 5
layer7 packet count(s2c) : 4
vsys : vsys1
application : ospf
rule : Lab-Any
service timeout override(index) : False
session to be logged at end : True
session in session ager : True
session updated by HA peer : False
layer7 processing : completed
URL filtering enabled : False
session via syn-cookies : False
session terminated on host : True
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/7
egress interface : ethernet1/7
session QoS rule : N/A (class 4)
tracker stage l7proc : ctd app has no decoder
end-reason : unknownOSPF LS LS 邻居之间可能会继续交换更新、确认和 Hello 数据包等更多数据包 OSPF ,但不会为这些数据包设置会话,因为它们是 OSPF 多播数据包。
要通过以下 OSPF 命令检查邻邦 CLI CLI :
admin@Lab> show routing protocol ospf neighbor
Options: 0x80:reserved, O:Opaq-LSA capability, DC:demand circuits, EA:Ext-Attr LSA capability,
N/P:NSSA option, MC:multicase, E:AS external LSA capability, T:TOS capability
==========
virtual router: default
neighbor address: 10.20.10.12
local address binding: 0.0.0.0
type: dynamic
status: full <<=====
neighbor router ID: 12.12.12.12
area id: 0.0.0.0
neighbor priority: 1
lifetime remain: 30
messages pending: 0
LSA request pending: 0
options: 0x42: O E
hello suppressed: no
restart helper status: not helping
restart helper time remaining: 0
restart helper exit reason: none