This lab provides the scenario to practice OSPF troubleshooting skills.
Configuration
- Setup basic addressing in the scheme: physical interfaces, loopbacks.
- Enable OSPF on every link, except for R5 links.
- Configure IPsec tunnel between R2 and R3.
- Reduce MTU between R2 and R5 to 1400 bytes.
- Enable path MTU discovery (PMTUD) on the tunnel interface.
- Make sure R4 is able to reach the loopback on R1.
Task
- Review PMTUD process over IPsec tunnel.
- Trigger PMTUD from R4:
R4#ping 1.1.1.1 so loopback 0 df-bit size 1400
Type escape sequence to abort.
Sending 5, 1400-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4
Packet sent with the DF bit set
..MMM
- Clear OSPF process on R3.
Observations
Verify the reachability between R1 and R4. What is wrong?
Solution
Note the current state of OSPF neighbourship:
R3#show ip os nei
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 0 EXSTART/ - 00:00:37 192.168.32.2 Tunnel0
4.4.4.4 1 FULL/DR 00:00:38 192.168.34.4 FastEthernet0/0
EXSTART state is a good indicator of MTU mismatch:
R3#deb ip ospf adj
OSPF adjacency debugging is on
*Oct 1 18:47:46.863: OSPF-1 ADJ Tu0: Send DBD to 2.2.2.2 seq 0xF1E opt 0x52 flag 0x7 len 32
*Oct 1 18:47:46.863: OSPF-1 ADJ Tu0: Retransmitting DBD to 2.2.2.2 [2]
*Oct 1 18:47:47.403: OSPF-1 ADJ Tu0: Rcv DBD from 2.2.2.2 seq 0x1074 opt 0x52 flag 0x7 len 32 mtu 1318 state EXSTART
*Oct 1 18:47:47.403: OSPF-1 ADJ Tu0: Nbr 2.2.2.2 has smaller interface MTU
*Oct 1 18:47:47.403: OSPF-1 ADJ Tu0: First DBD and we are not SLAVE
Remember that PMTUD is a unidirectional feature. R3 has already decreased its MTU, while R2 didn’t have a chance to do so. If a packet exceeds the available MTU, PMTUD should later update the value, so it’s relatively safe to ignore MTU mismatch:
R2(config)#interface Tunnel 0
R2(config-if)#ip ospf mtu-ignore
R3(config)#interface Tunnel 0
R3(config-if)#ip ospf mtu-ignore
Images
IOS image: c7200-adventerprisek9-mz.152-4.M11.image