Has anyone had any experience establishing OSPF between an MX and Palo Alto?

SOLVED
Cole
Getting noticed

Has anyone had any experience establishing OSPF between an MX and Palo Alto?

I have an MX67-C running in pass through mode connected to a Palo Alto firewall via ethernet. The MX is in the site to site as a spoke, is connected and can see all of the other MXs in the network. I have configured OSPF on the MX and the Palo. The neighbor relationship has been established and the Palo is reporting full adjacency. However, none of the remote MX site routes are in the Palo routing table. I am kind of at a loss right now on this one and was hoping someone may have come across this. 

1 ACCEPTED SOLUTION
cmr
Kind of a big deal
Kind of a big deal

@Cole has the MX in pass-through mode at the moment, so WAN should be okay.  However it is also set up as a spoke so that won't work as far as I know.

View solution in original post

22 REPLIES 22
ww
Kind of a big deal
Kind of a big deal

Not sure of this Works on the lan  side in passthrough  mode..

 

But the ospf  info talks about  hub  mode. So thats what  i would try first.

 

"OSPF can be used to allow MX security appliances in Auto VPN 'hub' mode at the headend to advertise remote VPN subnets to neighboring layer 3 devices. This feature is useful in topologies where a large number of VPN subnets makes configuring static routes impractical."

Cole
Getting noticed

The MX is connected to the Palo via the WAN interface and is a spoke in the Meraki site to site. 

cmr
Kind of a big deal
Kind of a big deal

@Cole in order to use OSPF advertisements, you need to have the MX in VPN concentrator mode, not routing or pass through mode.  If in this mode it would also normally be the hub of the VPN, not a spoke.

jdsilva
Kind of a big deal

@cmrThat's been updated. Routed mode is now supported:

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Using_OSPF_to_Advertise_Remote_VPN_Subnets

 

And concentrator and passthru modes are really the same modes, so passthru does work.

 

I think the problem here is what's already been called out. This is for VPN hubs only, spokes will not advertise routes. But I haven't tested this myself.

 

Screen Shot 2020-01-11 at 9.23.17 AM.png

cmr
Kind of a big deal
Kind of a big deal

Oops, my bad!  As @jdsilva said, the issue appears to be simply it being a spoke, not a hub.  I'd only tried it in concentrator mode and wasn't aware the guidelines had changed.

cmr
Kind of a big deal
Kind of a big deal

If you change the MX to a hub, you can set exit hubs and this gets rid of one of the negatives.  The other main one being number of tunnels, so this may not affect you unless you have a lot of sites:

 

Screenshot_20200111-163240_Chrome.jpg

The top exit hub is used unless it goes down, then the next will take over.

PhilipDAth
Kind of a big deal
Kind of a big deal

>The MX is connected to the Palo via the WAN interface

 

I was under the impression that the OSPF advertisements (when in NAT mode) only go out the LAN interfaces.  I am surprised you managed to form an OSPF adjacency via the WAN interface.

That's certainly what the docs say

 

ospf-mx.png

 

 

cmr
Kind of a big deal
Kind of a big deal

@Cole has the MX in pass-through mode at the moment, so WAN should be okay.  However it is also set up as a spoke so that won't work as far as I know.

Cole
Getting noticed

I put the MX back in Passthrough mode and made it a hub. After I did this, I reset the OSPF connections and rebooted both the MX and the Palo. Once they were back online they established full adjacency and the MX began advertising routes with the Palo. I did not add any statics for the network behind the Palo as the spoke sites have no need to access those networks. 

 

Thanks to everyone for the assistance on this. 

 

Cole

Cole
Getting noticed

The MX is now in routed mode with the WAN interface connecting to the site to site and the LAN interface connected to the switch behind the Palo. The Palo now has all of the OSPF routes in the table and can ping hosts on the remote networks. However, I cannot access hosts via HTTPS, HTTP, ssl, etc. from the Palo network. I believe this is due to the fact that the subnet is not known to the remote networks because the MX will only advertise and not learn. According to the docs a static route is needed but I do not know where to add it.  

Cole
Getting noticed

I also meant to mention that it is now a hub as well.

cmr
Kind of a big deal
Kind of a big deal

You add them under the Security & SD-WAN / Site-to-site VPN page where you changed it from Spoke to Hub and enable VPN participation as below:

 

cmr_0-1578932622560.png

 

Cole
Getting noticed

The issue is traffic getting back the local subnet behind the Palo. According to the documentation there needs to be a static route:

Cole_1-1578935050520.png

Maybe I am misreading this?

 

cmr
Kind of a big deal
Kind of a big deal

The routes behind the Palo are considered local to the MX if you want other Auto-VPN members to be able to see them, is that what you want?

Cole
Getting noticed

Yes, that is correct.

cmr
Kind of a big deal
Kind of a big deal

In routed mode, add the routes on Security & SD-WAN / Addressing & VLANs where you can set a gateway to the other network, sorry, post above was how to do it in concentrator mode.

 

cmr_0-1578936123914.png

Then on the other tab make sure to set VPN on under VPN settings for each network you want the other sites to know about.

Cole
Getting noticed

Thanks, I know where to add them the problem is everytime I do it I get an error like the one below:

Cole_0-1578937375515.png

This is where I am getting stuck.

cmr
Kind of a big deal
Kind of a big deal

Do the second and third blanks reference items in the site that this MX is in, or another site?  Do you have a summary route on the MX that includes the one you are trying to add?

Cole
Getting noticed

The blanks refer to a remote subnet that is on the Meraki site to site. 

cmr
Kind of a big deal
Kind of a big deal

The MX should already know those, this section is for adding routes that are not known to Meraki, i.e the ones the other side of the Palo that you want the other Meraki SD-WAN sites to know about.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels