Complex route based vpn w/ OSPF over 100 sites
carpadum last edited by
Performing a migration from policy based vpns to route based w/ ospf. The config is 2 data centers with ns50 both in area 0.0.0.0 and tunnel.50 Then there are 100 remote sites that connect to both datacenters via tunnel interfaces on 5GT.'s I have put each data center in different areas.
Datacenter 1 area 0.0.0.0 area 0.0.0.1 area 0.0.0.2 area 0.0.0.3 area 0.0.0.4
Datacenter 2 area 0.0.0.0 area 0.0.0.6 area 0.0.0.7 area 0.0.0.8 area 0.0.0.9
max of 25 remote office ns5gt per area
Remote locations 1-25 are members of both area 0.0.0.1 and 0.0.0.6
Remote ns 26-51 are members of both area 0.0.0.2 and 0.0.0.7
Remotes have 2 tunnel interfaces…one for each of the areas they are members of PTP
Datacenter NS’s have 4 areas each + 0.0.0.0
Datacenter NS’s tunnel interfaces are ptmp
Remote sites are all ptp
NHTB is all dynamic based on the VPN
The tunnel interfaces are all members of the same subnet on a per area basis…i.e. area 0.0.0.1 is subnet 192.168.101.x/24 (not using all the ip’s since only 25 remotes and one datacenter ns)
Everything has been working fine and all of the sudden some of the sites are displaying incorrect routing information on the datacenter ns50’s. The route will point all of the remotes in…say groups 1-25 (tunnel.1 area 0.0.0.1) to one of the remote sites. When this occurs the sites are not really down. I can get into the untrust interface and see the correct routing information for the remote. it seems that OSPF is building its paths incorrectly.
I know this is a lot of info and I am sure there is more that someone will want to know to answer this. Please help.
No answer on this question yet and neither have I.
But: what do your ospf databases tell you when routing fails?
Don’t have a NS here (at home) but to look into it it’s dome like:
get vrouter trust-vr proto ospf database.
get vrouter trust-vr proto ospf ? will show you the correct syntax.