cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Has anyone had any experience establishing OSPF between an MX and Palo Alto?

SOLVED
Highlighted
Getting noticed

Has anyone had any experience establishing OSPF between an MX and Palo Alto?

I have an MX67-C running in pass through mode connected to a Palo Alto firewall via ethernet. The MX is in the site to site as a spoke, is connected and can see all of the other MXs in the network. I have configured OSPF on the MX and the Palo. The neighbor relationship has been established and the Palo is reporting full adjacency. However, none of the remote MX site routes are in the Palo routing table. I am kind of at a loss right now on this one and was hoping someone may have come across this. 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Kind of a big deal
Kind of a big deal

Re: Has anyone had any experience establishing OSPF between an MX and Palo Alto?

@Cole has the MX in pass-through mode at the moment, so WAN should be okay.  However it is also set up as a spoke so that won't work as far as I know.

View solution in original post

22 REPLIES 22
Highlighted
Kind of a big deal
Kind of a big deal

Re: Has anyone had any experience establishing OSPF between an MX and Palo Alto?

Not sure of this Works on the lan  side in passthrough  mode..

 

But the ospf  info talks about  hub  mode. So thats what  i would try first.

 

"OSPF can be used to allow MX security appliances in Auto VPN 'hub' mode at the headend to advertise remote VPN subnets to neighboring layer 3 devices. This feature is useful in topologies where a large number of VPN subnets makes configuring static routes impractical."

Highlighted
Getting noticed

Re: Has anyone had any experience establishing OSPF between an MX and Palo Alto?

The MX is connected to the Palo via the WAN interface and is a spoke in the Meraki site to site. 

Highlighted
Kind of a big deal

Re: Has anyone had any experience establishing OSPF between an MX and Palo Alto?

Highlighted
Kind of a big deal
Kind of a big deal

Re: Has anyone had any experience establishing OSPF between an MX and Palo Alto?

@Cole in order to use OSPF advertisements, you need to have the MX in VPN concentrator mode, not routing or pass through mode.  If in this mode it would also normally be the hub of the VPN, not a spoke.

Highlighted
Kind of a big deal

Re: Has anyone had any experience establishing OSPF between an MX and Palo Alto?

@cmrThat's been updated. Routed mode is now supported:

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Using_OSPF_to_Advertise_Remote_VPN_Subnets

 

And concentrator and passthru modes are really the same modes, so passthru does work.

 

I think the problem here is what's already been called out. This is for VPN hubs only, spokes will not advertise routes. But I haven't tested this myself.

 

Screen Shot 2020-01-11 at 9.23.17 AM.png

Highlighted
Kind of a big deal
Kind of a big deal

Re: Has anyone had any experience establishing OSPF between an MX and Palo Alto?

Oops, my bad!  As @jdsilva said, the issue appears to be simply it being a spoke, not a hub.  I'd only tried it in concentrator mode and wasn't aware the guidelines had changed.

Highlighted
Kind of a big deal
Kind of a big deal

Re: Has anyone had any experience establishing OSPF between an MX and Palo Alto?

If you change the MX to a hub, you can set exit hubs and this gets rid of one of the negatives.  The other main one being number of tunnels, so this may not affect you unless you have a lot of sites:

 

Screenshot_20200111-163240_Chrome.jpg

The top exit hub is used unless it goes down, then the next will take over.

Highlighted
Kind of a big deal

Re: Has anyone had any experience establishing OSPF between an MX and Palo Alto?

>The MX is connected to the Palo via the WAN interface

 

I was under the impression that the OSPF advertisements (when in NAT mode) only go out the LAN interfaces.  I am surprised you managed to form an OSPF adjacency via the WAN interface.

Highlighted
Here to help

Re: Has anyone had any experience establishing OSPF between an MX and Palo Alto?

That's certainly what the docs say

 

ospf-mx.png

 

 

Highlighted
Kind of a big deal
Kind of a big deal

Re: Has anyone had any experience establishing OSPF between an MX and Palo Alto?

@Cole has the MX in pass-through mode at the moment, so WAN should be okay.  However it is also set up as a spoke so that won't work as far as I know.

View solution in original post

Highlighted
Getting noticed

Re: Has anyone had any experience establishing OSPF between an MX and Palo Alto?

I put the MX back in Passthrough mode and made it a hub. After I did this, I reset the OSPF connections and rebooted both the MX and the Palo. Once they were back online they established full adjacency and the MX began advertising routes with the Palo. I did not add any statics for the network behind the Palo as the spoke sites have no need to access those networks. 

 

Thanks to everyone for the assistance on this. 

 

Cole

Highlighted
Getting noticed

Re: Has anyone had any experience establishing OSPF between an MX and Palo Alto?

The MX is now in routed mode with the WAN interface connecting to the site to site and the LAN interface connected to the switch behind the Palo. The Palo now has all of the OSPF routes in the table and can ping hosts on the remote networks. However, I cannot access hosts via HTTPS, HTTP, ssl, etc. from the Palo network. I believe this is due to the fact that the subnet is not known to the remote networks because the MX will only advertise and not learn. According to the docs a static route is needed but I do not know where to add it.  

Highlighted
Getting noticed

Re: Has anyone had any experience establishing OSPF between an MX and Palo Alto?

I also meant to mention that it is now a hub as well.

Highlighted
Kind of a big deal
Kind of a big deal

Re: Has anyone had any experience establishing OSPF between an MX and Palo Alto?

You add them under the Security & SD-WAN / Site-to-site VPN page where you changed it from Spoke to Hub and enable VPN participation as below:

 

cmr_0-1578932622560.png

 

Highlighted
Getting noticed

Re: Has anyone had any experience establishing OSPF between an MX and Palo Alto?

The issue is traffic getting back the local subnet behind the Palo. According to the documentation there needs to be a static route:

Cole_1-1578935050520.png

Maybe I am misreading this?

 

Highlighted
Kind of a big deal
Kind of a big deal

Re: Has anyone had any experience establishing OSPF between an MX and Palo Alto?

The routes behind the Palo are considered local to the MX if you want other Auto-VPN members to be able to see them, is that what you want?

Getting noticed

Re: Has anyone had any experience establishing OSPF between an MX and Palo Alto?

Yes, that is correct.

Highlighted
Kind of a big deal
Kind of a big deal

Re: Has anyone had any experience establishing OSPF between an MX and Palo Alto?

In routed mode, add the routes on Security & SD-WAN / Addressing & VLANs where you can set a gateway to the other network, sorry, post above was how to do it in concentrator mode.

 

cmr_0-1578936123914.png

Then on the other tab make sure to set VPN on under VPN settings for each network you want the other sites to know about.

Highlighted
Getting noticed

Re: Has anyone had any experience establishing OSPF between an MX and Palo Alto?

Thanks, I know where to add them the problem is everytime I do it I get an error like the one below:

Cole_0-1578937375515.png

This is where I am getting stuck.

Highlighted
Kind of a big deal
Kind of a big deal

Re: Has anyone had any experience establishing OSPF between an MX and Palo Alto?

Do the second and third blanks reference items in the site that this MX is in, or another site?  Do you have a summary route on the MX that includes the one you are trying to add?

Highlighted
Getting noticed

Re: Has anyone had any experience establishing OSPF between an MX and Palo Alto?

The blanks refer to a remote subnet that is on the Meraki site to site. 

Highlighted
Kind of a big deal
Kind of a big deal

Re: Has anyone had any experience establishing OSPF between an MX and Palo Alto?

The MX should already know those, this section is for adding routes that are not known to Meraki, i.e the ones the other side of the Palo that you want the other Meraki SD-WAN sites to know about.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.