OSPF Neighbours stuck in Exchange Start
search cancel

OSPF Neighbours stuck in Exchange Start

book

Article ID: 307715

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

Symptoms:

  • If you have multiple Edges, running the show ip ospf neighbour command, you see Exchange Start state on some Edges.
  • MTU and OSPF configuration is all the same across all the Edges.
  • Ping works between Edges
  • Packet captures show DD packets are received by Edge but not sent back.
  • DFW has rules applied for specific Edge and packet drops on the last rule, which is deny any any.

Environment

VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.2.x

Cause

This issue occurs as DFW rules are applied to the specific Edge in the field "Applied to", therefore take precedence over internal OSPF rules on the Edge Firewall.

Resolution

To resolve this issue, follow either of the options:

  • If your environment requires rules on DFW to be applied to the specific Edges, add rules in DFW to allow Unicast and Multicast for OSPF. (or)
  • Disable DFW rules for specific Edges.