Cisco ASA: OSPF neighbor stuck in “init” state

After migration from Catalyst 3750-X to 9300 switch all of a sudden OSPF adjacency to ASA was not establishing. Since configuration did not change I started debugging it.

Switch side was stuck in “INIT/DROTHER” state. ASA side had no neighbors. “Show OSPF” indicated that Area BACKBONE(0) was (Inactive). The interface was in the area, subnet, HELLO/DEAD timers matched.

asa# sh ospf 100

<SNIP>
Area BACKBONE(0) (Inactive)
Number of interfaces in this area is 1
Area has no authentication

Looking further at “show OSPF events” revealed a strange message indicating bad packet header from an invalid/non-existing IP address.

asa# sh os 100 ev

OSPF Router with ID  (Process ID 100)

1 May 18 21:10:51.416: Bad pkt rcvd: <invalid IP>
2 May 18 21:10:41.946: Bad pkt rcvd: <invalid IP>
3 May 18 21:10:32.876: Bad pkt rcvd:

I checked IP and it did not exist in my network so I ran “show ospf traffic” on ASA to look for invalid packet header error messages.

asa# sh os traffic

<SNIP>

OSPF header errors
Length 0, Auth Type 0, Checksum 0, Version 0,
Bad Source 0, No Virtual Link 0, Area Mismatch 0,
No Sham Link 0, Self Originated 0, Duplicate ID 0,
Hello 0, MTU Mismatch 0, Nbr Ignored 0,
LLS 80, Unknown Neighbor 0, Authentication 0,
TTL Check Fail 0

Under OSPF header errors I found errors related to LLS. Google search returned this bug related to ASA not supporting OSPF LLS TLV under interface.

So the fix was to disable LLS TLV on the switch/router interface.

Interface X
ip ospf lls disable

Once interface command was entered OSPF adjacency to ASA established successfully.

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar