-When the next hop of the redistributed connected, static, dynamic protocols is not part of NSSA Area, the forwarding address field may only be filled with an address from one of its active interfaces present on the FGT.
- As illustrated, FGT-A and FGT-B are in OSPF NSSA Area 0.0.0.21.- There is VLAN100 passed on SWITCH-1 & SWITCH-2 so that FGT-A & FGT-B can communicate with each other to form the OSPF NSSA neighborship in area 0.0.0.21.
This OSPF cost for this link is 0.- IPSEC-VPN link between these FortiGate which also forms the OSPF NSSA neighborship in area 0.0.0.21 but it has configured with higher cost 1000, so that it will act as backup link.-FGT-A redistribute the external route 192.168.10.0/24 to FGT-B with 'NSSA: Forward Address' as 10.10.10.1.- When the Physical link between SWITCH-1 & SWITCH-2 goes down, the VLAN100 interface operational status would be UP on both the FGT-A & FGT-B.This happens as FGT-A to SWITCH-1 & FGT-B to SWITCH-2 physical links are UP.-The OSPF goes down as 10.10.10.1 cannot reach 10.10.10.2 over VLAN100.-However, the FGT-A still keep on redistributing the external route 192.168.10.0/24 to the FGT-B over the backup IPSec link with 'NSSA: Forward Address' as 10.10.10.1 instead of IPsec interface IP 10.20.20.1. This happens as VLAN100 operational status is UP on FGT-A.- FGT-B forward the traffic for external subnet 192.168.10.0/24 on VLAN100 and traffic gets black-holed on VLAN100.
Solution
- To avoid such issues, configure Loopback IP in the OSPF NSSA Area 0.0.0.21 on both FGT-A & FGT-B.
- When we configure FGT-A with loopback IP 172.16.1.1/32 and FGT-B with loopback IP 172.16.2.2/32 and then define those loopback IP in the OSPF NSSA Area in “config network” , the FGT-A redistribute the external route 192.168.10.0/24 to the FGT-B using NSSA Forward address as loopback IP 172.16.1.1/32 (as per https://tools.ietf.org/html/rfc3101#section-12.4.4.1).
-FGT-A loopback address 172.16.1.1/32 will get reachable over the IPsec interface and FGT-B can forward the traffic on IPSec interface instead of VLAN100 and prevent the traffic from getting black-holed.
FGT-A.# config system interfaceFGT-B.
edit "VLAN100"
set vdom "root"
set ip 10.10.10.1 255.255.255.252
set allowaccess ping
set device-identification enable
set role lan
set snmp-index 6
set interface "lan1"
set vlanid 100
next
edit "IPSEC-VPN"
set vdom "root"
set ip 10.20.20.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.20.20.2 255.255.255.252
set snmp-index 7
set interface "wan"
next
edit "Loopback0"
set vdom "root"
set ip 172.16.1.1 255.255.255.255
set allowaccess ping
set type loopback
set snmp-index 8
next
end
# config router ospf
set router-id 10.10.10.1
# config area
edit 0.0.0.21
set type nssa
next
end
# config ospf-interface
edit "VLAN100"
set interface "VLAN100"
next
edit "IPSEC-VPN"
set interface "IPSEC-VPN"
set cost 1000
next
end
# config network
edit 1
set prefix 10.10.10.0 255.255.255.252
set area 0.0.0.21
next
edit 2
set prefix 10.20.20.0 255.255.255.252
set area 0.0.0.21
next
edit 3
set prefix 172.16.1.1 255.255.255.255
set area 0.0.0.21
next
end
# config redistribute "connected"
end
# config redistribute "static"
set status enable
end
# config redistribute "rip"
end
# config redistribute "bgp"
end
# config redistribute "isis"
end
end
# config router static
edit 1
set dst 192.168.10.0 255.255.255.0
set device “port1”
set gateway 10.30.30.2
next
end# config system interfaceBelow is the command to check the NSSA Forward Address for LSA.
edit "VLAN100"
set vdom "root"
set ip 10.10.10.2 255.255.255.252
set allowaccess ping
set device-identification enable
set role lan
set snmp-index 6
set interface "lan1"
set vlanid 100
next
edit "IPSEC-VPN"
set vdom "root"
set ip 10.20.20.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.20.20.1 255.255.255.252
set snmp-index 7
set interface "wan"
next
edit "Loopback0"
set vdom "root"
set ip 172.16.2.2 255.255.255.255
set allowaccess ping
set type loopback
set snmp-index 8
next
end
# config router ospf
set router-id 10.10.10.2
# config area
edit 0.0.0.21
set type nssa
next
end
# config ospf-interface
edit "VLAN100"
set interface "VLAN100"
next
edit "IPSEC-VPN"
set interface "IPSEC-VPN"
set cost 1000
next
end
# config network
edit 1
set prefix 10.10.10.0 255.255.255.252
set area 0.0.0.21
next
edit 2
set prefix 10.20.20.0 255.255.255.252
set area 0.0.0.21
next
edit 3
set prefix 172.16.2.2 255.255.255.255
set area 0.0.0.21
next
end
# config redistribute "connected"
end
# config redistribute "static"
set status enable
end
# config redistribute "rip"
end
# config redistribute "bgp"
end
# config redistribute "isis"
end
end# get router info ospf database nssa-external lsa <PREFIX>
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.