I'm seeing some issues with OSPF, vSEC R80.10
we see regular OSPF convergence on the vSEC cluster which dumps routes for a short time and is causing some instability.
In the logs i see lots of connections dropped origin being the secondary cluster member & due to antispoofing, the dropped traffic is from vip addresses to the associated ospf neighbor for service ospf.
we have an antispoofing group configured on the interfaces that includes the ip ranges of both the src & dst ospf neighbors & antispoofing action is set to detect & log so i'm not sure why the secondary checkpoint is dropping.
show ospf neighbors shows errors incrementing for 1 neighbor.
anyone seen anything like this with checkpoint and ospf?
when i look at show ospf neighbors on both checkpoints i see they have the exact same details, including interface details, I would have thought each cluster member would use its own IP to form neighbour relationships but understand why they use the vip as it ensures the neighbors send to the active ip which leads me to a few q's:
- is the standby /secondary cp dropping ospf from the neighbour intentionally but shows as antispoof in the logs?
- does the active cp sync the ospf database to the secondary so the secondary never needs to actively form neighbor relationships?
- are the drops in the logs normal behaviour for the secondary?
i appreciate we need to upgrade but you already know why that hasn't happened.
Thanks