OSPFv3 neighbors do not establish over IPSec tunnels

OSPFv3 neighbors do not establish over IPSec tunnels

10439
Created On 03/27/19 13:39 PM - Last Modified 03/29/19 06:24 AM


Symptom


OSPFv3 neighbors do not establish over IPSec tunnels between Palo Alto Networks firewalls.

Environment


  • IPSec tunnels between Palo Alto Networks firewalls.
  • Firewalls at both ends of the tunnel are configured for high availability.
  • OSPFv3 configured on tunnel interfaces.
  • IPv6 is enabled on tunnel interfaces and the interface ID uses the default EUI-64.

Cause


The neighbors do not form because the firewall receives a hello packet sourced from it's own ipv6 address.

The following errors would be seen in the routed.logs:
OSPF 4097 i/f idx 0X00000104 inst ID 0 Received Hello packet dropped because it originated from local router.
Diagnostic information for support:
Source IP address = FE80::21B:17FF:FE00:104

When HA is enabled on a firewall, the MAC addresses are changed to virtual mac addresses and are made up of the HA group ID and interface ID. Tunnel interfaces will have interface ID 4 so if the HA group ID is the same on both pairs of firewalls then the mac addresses for the tunnel interfaces will also be the same on each firewall.

The IPV6 Interface ID will be generated from the mac address of the physical interface. Because the mac address of the tunnel interface is the same at both ends, the IPV6 address will also be same and cause OSPF not to establish. 

Resolution


Assign a unique IPv6 Interface ID for the tunnel interfaces.

Additional Information


HOW TO CALCULATE A VIRTUAL MAC ADDRESS
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boSeCAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language