OSPF between ASA and ASR keeps in INIT/DROTHER
Recently we migrated some ASR-1001-X to a new setup with ASR-1001-HX and recent IOS versions on it. After the migration we got some OSPF sessions that kept being stuck in INIT/DROTHER. It appeared these where all ASA firewalls.
After some googling and troubleshooting I came into the following article - https://finkotek.com/cisco-asa-ospf-neighbor-stuck-in-init-state/
It seems there are some incompatibilities between ASA and recent ASR/IOS-XE releases. Basically LLS aren't supported 100%.
Basically the following steps have to be taken to verify this:
asa# show ospf events OSPF Router with ID (Process ID 100) 1 May 18 21:10:51.416: Bad pkt rcvd: <invalid IP> 2 May 18 21:10:41.946: Bad pkt rcvd: <invalid IP> 3 May 18 21:10:32.876: Bad pkt rcvd:
The IP you see will be an invalid non existing IP address.
asa# show ospf traffic <SNIP> OSPF header errors Length 0, Auth Type 0, Checksum 0, Version 0, Bad Source 0, No Virtual Link 0, Area Mismatch 0, No Sham Link 0, Self Originated 0, Duplicate ID 0, Hello 0, MTU Mismatch 0, Nbr Ignored 0, LLS 80, Unknown Neighbor 0, Authentication 0, TTL Check Fail 0
The LLS header errors will be amounting to a bigger value. It appears this is a bug in the ASA of not supporting OSPF LLS TLV's. There is a Cisco bugreport on this https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg78868
To disable this do the following on the ASR side:
interface GigabitEthernetX/X ip ospf lls disable