OSPF Basics

OSPF-----IP/89

100 routers per area=cisco recommends(but you can have "n" number of routers depends on CPU)
224.0.0.5====>ALL SPF address, hello packets
224.0.0.6===>ALL DR address


DR/BDR--224.0.0.5--->DRO/BDR/DR
DRO----->224.0.0.6-->DR/BDR

Type=Link-State
Algorithm=Dijkstra
Metric=Cost (Bandwidth)
AD==>110
process id =1 to 65535.===>
                                         ++ you can run "n" number of process id in single area,
                                         ++ neighbor-ship can forms with two different process id's. 
                                         ++can run multiple process ids in single router but cannot communicate with each other unless redistributed.

LOOP Avoidance:-++using backbone area0
++if one area used no need of area0
++if more than one area then we need area0
++so its all about Dijkstra algorithm and SPF calculation
Distance Vector protocol:-  
           ++a router knows complete topology infor within area
           ++but a router for inter-area routes(other areas) depends on ABR.
           ++so if router has ,multiple ABR's then
          RULE1:- ABR will run SPF calculation for Summary LSA(type-3) only coming from backbone area and not from other areas.
           ex:- 3 areas connected in triangle shape. etc..
                            
DR/BDR-:-----> highest (priority then checked Router id)(BDR elected first and then DR)
routerid:- by default manual router id>highest loopback IP> highest Physical interface IP
(Reason why DR/BDR elected because, if link state s=changes updates sent to DR.
DR forwards to all routers. which reduces flooding of LSA. )

default priority==1

Priority=0<=======NO DR/BDR  (#ip ospf priority 0)

use of DR/BDR=CPU utilization is consumed

Path selection:
1)cost=10^8/B.W  ----->lowest preferred, If same cost then
2)Lowest ip add
3)intra-Area (O)
4)Inter-Area (O IA)
5)External Type 1 (E1)
6)NSSA Type 1 (N1)
7)External Type 2 (E2)
8)NSSA Type 2 (N2) 

Process id:-
++same or different ospf process id it will still work. it is local to the router
++we can also create multiple ospf prcess ids in same ROUTER. but not recommended.
(whereas for bgp,eigrp process id has to be same)

ABR:-(area border router):-
router which connected to other areas. more than one area.

ASBR(Autonomous system boarder router):-
router that connects to other autonomous system

Each Hello packet contains the following information:-
    Router ID of the originating router.
    Area ID of the originating router interface.
    Address mask of the originating interface.
    Authentication type and authentication information for the originating interface.
    HelloInterval of the originating interface.
    RouterDeadInterval of the originating interface.
    Router Priority.
    DR and BDR.
    Five flag bits signifying optional capabilities.
    Router IDs of the originating router’s neighbors. This list contains only routers from which Hellos were heard on the originating interface within the last RouterDeadInterval.

OSPF LSA Types

LSA:
====
1)router LSA How many routers (generated by all routers)
2)Network LSA Who is DR?
3) Summary LSA-generated by ABR, Who is other area network? (inter area routes)
4) ASBR Summary LSA - Generated by ABR - contains routes to ASBR 
5) External LSA All external routes
6) Multicast LSA- used for multicast applications.
7) NSSA External LSA




NBMABROADCASTP2PMULIPOINT BROADCASTMULTIPOINT NON BROADCAST
DR/BDR==>YESYESNONONO
Neighbor==>NOYESYESYESNO







Stub Area :-
=========
REASON:-if router has less memory then it can impact the performance,reduce CPU
LSA 1,2,3 and a default route is injected at LSA type 3
{TO BLOCK =type 4(ASBR), Type5(External routes) }


Totally Stubby Area :-
===================
REASON:-if router has less memory then it can impact the performance,reduce CPU
LSA 1,2, is allowed and a default route is injected at LSA type 3
with a default route as a type 3 LSA
(TO BLOCK =type 3,4,5=inter area,ASBR,External routes)


Here you can see the NP bit. This bit position has two roles:

N-bit: this one is used in hello packets for OSPF NSSA routers. When the N-bit is not supported, the routers won’t become neighbors.
P-bit: this one is only used in the NSSA external LSA header.
Since the N and P bit are never used at the same time, this bit position can be used for both roles.


Not So Stubby Area (NSSA) :-
=========================
- No Type 7/5 translation means bit P = 0.
- Type 7/5 translation means bit P = 1.
REASON:-
1)if router has less memory then it can impact the performance,reduce CPU
2)My company has two AREAS(AREA0--AREA1), where Area1 is in STUB.
Now your company wants to communicate with our company.
so in this i can put AREA1 in NSSA so it will not learn your routes(external routes) only area0 will learn.
NOTE:- If you dont want LSA-7 to learn then give below command
 router ospf 1 Area 1 nssa no-redistribution

LSA 1,2,3,7,default route is injected at LSA type 7 only if below command is issued
area 10 nssa default-information-originate



-(TO BLOCK LSA 4,5=ASBR,EXTERNAL)

TOTALLY NSSA:- 
=================
-LSA 1,2,7 is allowed and default route is injected at LSA type3
++Interarea route, ASBR and External routes are blocked.



OSPF States

DOWN:-
=====
No hello packets have been received.
++check L2 Issues or is there any firewall IP 89 blocked ?

STUCK at Attempt
============
1.check neighbor id mis configuration
2.access-lists
3,Incorrect DLCI (if using frame relay)

STUCK at INIT:
=========
(means router has received hello packets.)
+check if 225.0.0.5 is blocked
+ping to neighbor address ping should be successful, otherwise problem with link.
+authentication should be enabled on both sides or mismatch
+pcaps to see if we are getting reply packets with dest add=our ip

STUCK at TWO/way:
=============
(received hello and also sent hello, bi-directional comm established)
its a default behavior if you observer from DR other
+make sure you check neighbor from DR

R1/R2/R3R4/R5 all area connected through switch


R1=DR(adjacency router=which exchanges only HELLO and LSA packets)
R2=BDR(adjacency router=which exchanges only HELLO and LSA packets)
R3/R4/R5=DROTHER (neighbor router=which exchanges only HELLO packets)

R1#sh ip ospf nei
      R2-BDR
     R3/R4/R5-DRother
     R2-BDR

R3#sh ip ospf nei
     R1-DR
     R2-BDR
     R4/R5------>TWOWAY<============expected behaviour

Stuck at EXTART/EXCHANGE:
==================
(DR/BDR election happens in this state)master sends First DBD packet)
R1(mtu=1500)===========(mtu=1450) R2

R1#sh ip ospf nei
          EXCHANGE
R2#sh ip ospf nei
          EXSTART

+MTU mismatch
resolution:ip ospf mtu-ignore
+check the neighbor id's #sh ip bgp neighbor


LOADING:-
=======
Link state adv(LSA) are exchanged by two neighbors which contains routes, topology database.
router now checks if there is any router which is not found, it sends LSR requesting all LSA's and other responds with LSU


FULL:-
====
all neighbor routers are in sync and established.

BGP Attributes


Type=Path Vector
Algorithm=Path Selection
eBGP AD=20
iBGP AD=200

Protocols IP
Transport TCP 179

####WLAOM..RCN###
attributes:
==========
1.weight (default=0) prefered=highest
configure this on a router that is receiving the routes (IN)  (customer side)
cisco proprietary
this is given on specific device
is given on PA it self..
#neighbor X.X.X.X weight 762

2.local preference(default=100)prefered=highest
  • configure this on a router that is receiving the routes (IN)  (customer side)
  • only in is supported, routes learning in to our AS
  • LP is not exchanged in EBGP. hence we use bgp community strings
R1#bgp default local-preference 200
but if we give above command it applies for all routes
Note that the Local Preference will only affect the traffic leaving the AS.
you can use route maps to apply local preference for specific routes.


access-l permit 10 10.10.10.1
access-l permit 20 50.0.0.1
R1#route-map FILTER_10
match ip add 1
set local-preference <high>

R1#router bgp <>
neighbour <neighbor ip> route-map FILTER_10 in
only in is supported, routes learning in to our AS

3.Locally Originated prefered=local routes
- Prefer the path that was locally originated via a network

4.AS PATH prefered=lowest
R1---R2_10----R3_30
  • configure this on a router that is advertising its routes....(OUT)  (ISP SIDE or customer side)
  • can be exchanged b/w 2 AS
  • only sends to neighbor AS. again neighbor AS will also send to other AS..

# neighbor <ISP1> route-map RMAP out
route-map RMAP permit 10
 match ip address 1
 set as-path prepend 11 11 11 <---should be our own AS number

ISP side:-
we want to use ISP1 as backup so increased AS pasth prepend to 1 1 1 1 1. so far good..
BUT ISP1 is also clever. they always follow Customer link>>>Peer LINKS>>>UPSTREAM OTHER ISP's
because they want to charge for Link.
so even though we use AS path. ISP1 will use Local preference as follows
Customer Link=LP=100
Peer Link=LP=80
Upstream ISP=LP=50

5.ORIGIN  prefered=prefered=lowest origin IGP<EGP<Icomplete
-IGP advertised through BGP network command
-EGP routes came through redistribution


6.MED(Multi exit discriminator)==(Lowest preferred)default=0
  • configure this on a router that is advertising its routes....(OUT)  (ISP SIDE or customer side)
  • can be exchanged b/w 2 AS
  • only sends to neighbor AS1. again neighbor AS1 will not send to other AS2. will send within AS1
.
7)EBGP are preffered than IBGP.

8)Lowest IGP metric:-
BGP internal routing, i.e;IGP. used in MPLS or internal network.

9)Maximum Paths:-
checkes if loadbalance is there for multiple BGP paths.
IF not it continue to next one.

10)Oldest one(External):-first come first serve

11)router-ID==prefered=lowest
- If router id is also same then it uses below one

12)cluster list length ==prefered=lowest
-used in route reflector environmnt

13)neighbor address==prefered=lowest
####WLAOM..RCN###

===========================================

 






PaloAlto-Traffic Error Logs:-

=====================
aged-out
=====================

1)Generally Session aging is an operation to identify expired sessions and remove them from ager and flow lookup table and return to free session pool. It can be triggered by timer event or packet arrival event. A session is considered expired if
• Session state is CLOSING, in this state session is subject to immediate expiration.


At various phases during packet processing, a session may close due to causes such as:
Session denied or time out
Dropped packets due to threat various treat conditions
Reset by any of end hosts

2)The purpose of introducing the session tracker feature is to provide precise reasons for mitigation actions taken on particular sessions.

3)There are multiple tracker stage statuses, such as:

======================
SESSION END REASON
=======================

Aged out - Occurs when a session closes due to aging out
TCP FIN - Occurs when a TCP FIN is used to close half or both sides of a connection
TCP RST - client - Occurs when the client sends a TCP reset to the server
TCP RST - server - Occurs when the server sends a TCP reset to the client
appid policy lookup deny - Occurs when a session matches a security policy with a deny or drop action
mitigation tdb - Occurs when a session ends due to a threat detection
resource limit - Occurs when a session is set to drop due to a system resource limitation such as exceeding the number of out of order packets allowed per flow or the global out of order packet queue. Many other reasons will roll up to this reason.
host service - Traffic destined for firewall but service not allowed or enabled

4)TCP Session Timeout:
Maximum length of time that a TCP session remains open without a response, after a TCP session is in the Established state (after the handshake is complete and/or data transmission has started). Default is 3600 seconds; range is 1-1599999 seconds.

You can change the timeout value from Device > Setup > Session > Session Timeouts > TCP

5) Here TCP 3 way handshake was breaking down due to an invalid response from the server. The order of the handshake should be syn > syn-ack > ack but instead we saw syn > ack > rst.
We can try clearing the sessions to the server and see if this helps though if we receive the same thing it is likely an issue with the server and or the application. Since we will need to reset the sessions after you are out of normal production hours we will wait for your followup.

======================
APPLICATION REASON
======================
Incomplete means that either the three-way TCP handshake did not complete or the three-way TCP handshake did complete but there was no data after the handshake to identify the application. In other words that traffic being seen is not really an application. For example, if a client sends a server a syn and the Palo Alto Networks device creates a session for that syn, but the server never sends a SYN ACK back to the client, then that session is incomplete.


Insufficient data means not enough data to identify the application. So for example, if the three-way TCP handshake completed and there was one data packet after the handshake but that one data packet was not enough to match any of our signatures, then user will see insufficient data in the application field of the traffic log.


Unknown-tcp means the firewall captured the three-way TCP handshake, but the application was not identified. This may be due to the use of a custom application for which the firewall does not have signatures.


Unknown-udp consists of unknown udp traffic.
unknown-p2p
Unknown-p2p matches generic P2P heuristics.


Not-applicable means that the Palo Alto device has received data that will be discarded because the port or service that the traffic is coming in on is not allowed, or there is no rule or policy allowing that port or service.
For example, if there was only one rule on the Palo Alto device and that rule allowed the application of web-browsing only on port/service 80, and traffic (web-browsing or any other application) is sent to the Palo Alto device on any other port/service besides 80, then the traffic is discarded or dropped and you'll see sessions with "not-applicable" in the application field.



Action - Action indicates an allowed traffic.  Deny would indicate a block. 
if the final action is Allowed then please check below Session_end_Reason to confirm if the traffic is completely allowed or blocked.

Action
Final Action
reason
allow
Allowed
session was allowed by policy
deny
Blocked
session was denied by policy
drop
Blocked
session was dropped silently
drop ICMP
Blocked
session was silently dropped with an ICMP unreachable message to the host or application
reset-both
Blocked
session was terminated and a TCP reset is sent to both the sides of the connection
reset-client
Allowed
session was terminated and a TCP reset is sent to the client
reset-server
Allowed
session was terminated and a TCP reset is sent to the server




App- Firewall can identify applications based on various aspects of the traffic. 
You can find complete list of applications from HERE
If the application is not identified, then it can be because of following reasons

App
Final Action
reason
Incomplete
Allowed
The three-way TCP handshake did not complete Properly.
Insufficient data
Allowed
The three-way TCP handshake did complete but there was no data after the handshake to identify the application.
Unknown-tcp
Allowed
The three-way TCP handshake completed, but the application was not identified. This may be due to the use of a custom application or port numbers
Unknown-udp
Allowed
The UDP application was not identified. This may be due to the use of a custom application or port numbers
Not-applicable
Blocked
Blocked by Firewall, as there is no rule or policy allowing that port or service.


Session_end_Reason- This indicates why a session ended.  The reasons are below:
Session End Reason  
Final Action
Description  
threat
Blocked
The firewall detected a threat associated with a reset, drop, or block (IP address) action.
policy-deny
Blocked
The session matched a security rule with a deny or drop action.
tcp-rst-from-client
Allowed
The client sent a TCP reset to the server.
tcp-rst-from-server
Allowed
The server sent a TCP reset to the client.
tcp-fin
Allowed
One host or both hosts in the connection sent a TCP FIN message to close the session.
tcp-reuse
Allowed
A session is reused, and the firewall closes the previous session.
aged-out
Allowed
The session aged out.
resources-unavailable
Blocked
The session dropped because of a system resource limitation. For example, the session could have exceeded the number of out-of-order packets allowed per flow or the global out-of-order packet queue.
decrypt-error
Blocked
This occurs if we configure SSL Decryption and the Firewall blocks if it detects certificate expiry, unsupported cipher suites.
decrypt-cert-validation
Blocked
This occurs if we configure SSL Decryption, Firewall blocks if the server certificate produces a fatal error alert of type bad_certificate, unsupported_certificate, certificate_revoked, access_denied, or no_certificate_RESERVED
decrypt-unsupport-param
Blocked
This occurs if we configure SSL Decryption, , Firewall blocks if the session produces a fatal error alert of type unsupported_extension, unexpected_message, or handshake_failure.
decoder
Allowed

The decoder detects a new connection within the protocol (such as HTTP-Proxy) and ends the previous connection.
n/a
Allowed
This value applies when the traffic log type is not end

Powered by Blogger