MTU Mismatch Could Cause OSPF Adjacency To Go Down.

MTU Mismatch Could Cause OSPF Adjacency To Go Down.

34431
Created On 12/07/20 21:08 PM - Last Modified 12/21/20 20:34 PM


Symptom


Traffic fails to pass after failover to the Secondary firewall when High Availability is configured. The Firewall is only able to reach its neighbor devices, but not any other end hosts, and vise versa.
  • System log shows OSPF adjacency with neighbor gone down.
User-added image
 
  • OSPF neighborship shows that the status is in Exchange state.
User-added image
 
  • When set up the packet capture filter with its neighbor, Global counter shows that the drop is due to flow_ipfrag_size_not_match.
User-added image

Environment


  • Palo Alto Firewall
  • PAN-OS 9.1, 9.2
  • High-Availability (HA) and OSPF configured.

Cause


The session setting in Device > Setup > Session tab shows jumbo frame enables with Global MTU 9214 on secondary firewall, but not primary firewall.

User-added image

Resolution


  1. Disable Jumbo frame and change Global MTU to 1500. Note that this matches the MTU of the neighboring device.
  2. Since Jumbo frame change needs a reboot, follow up by a system reboot
  3. OSPF neighborship should be back up and all internal resource becomes reachable again.

Note: MTU mismatch can cause OSPF not to come up even in a non-HA Setup.

Additional Information


Why Are OSPF Neighbors Stuck in Exstart/Exchange State?
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBrqCAG&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language