Complex route based vpn w/ OSPF over 100 sites

  • Performing a migration from policy based vpns to route based w/ ospf.  The config is 2 data centers with ns50 both in area and tunnel.50  Then there are 100 remote sites that connect to both datacenters via tunnel interfaces on 5GT.'s  I have put each data center in different areas.

    Datacenter 1  area area area area area
    Datacenter 2  area area area area area

    max of 25 remote office ns5gt per area

    Remote locations 1-25 are members of both area and
    Remote ns 26-51 are members of both area and

    Remotes have 2 tunnel interfaces…one for each of the areas they are members of PTP

    Datacenter NS’s have 4 areas each +

    Datacenter NS’s tunnel interfaces are ptmp

    Remote sites are all ptp

    NHTB is all dynamic based on the VPN

    The tunnel interfaces are all members of the same subnet on a per area basis…i.e.  area is subnet 192.168.101.x/24  (not using all the ip’s since only 25 remotes and one datacenter ns)

    Everything has been working fine and all of the sudden some of the sites are displaying incorrect routing information on the datacenter ns50’s.  The route will point all of the remotes in…say groups 1-25  (tunnel.1 area to one of the remote sites.  When this occurs the sites are not really down.  I can get into the untrust interface and see the correct routing information for the remote.  it seems that OSPF is building its paths incorrectly.

    I know this is a lot of info and I am sure there is more that someone will want to know to answer this.  Please help.


  • Global Moderator

    No answer on this question yet and neither have I.

    But: what do your ospf databases tell you when routing fails?
    Don’t have a NS here (at home) but to look into it it’s dome like:
    get vrouter trust-vr proto ospf database.
    get vrouter trust-vr proto ospf ? will show you the correct syntax.