Forum Discussion

GraemeMcCauslan's avatar
GraemeMcCauslan
Icon for Nimbostratus rankNimbostratus
Apr 18, 2017

BIG-IP OSPF with Palo Alto

I have 2 BIG-IP 2200s units in an active/standby pair. Both of them OSPF peer with a Palo Alto 3060 failover pair.

 

Whenever there is a topology change, such as a failover of the Palo Alto - I cannot get a full adjacency to establish between the Palo Alto and either of the F5s. It is stuck in the "exchange" state.

 

Packet capture shows hellos being exchanged normally. The Palo Alto is repeatedly sending its Database Descriptor to the F5s, but not the other way around.

 

The issue is resolved when I clear the OSPF process on the F5s. The F5 finally sends its Database Descriptor to the Palo Alto and I get full adjacency at that point. However if there is a real failover event on the firewalls, this would effectively bring our network down until someone can manually intervene.

 

BIG-IP version: 11.5.4 HF2 Palo Alto version: 6.1.14

 

Anyone ever see this issue? It looks like a bug to me.

 

  • The port lockdown feature on the F5 Self IPs were set to "Allow None". Changing them to "Allow Default" resolved the issue for me.