show ospf neighbor
Displays the OSPF neighbor table, showing all OSPF neighbors and their adjacency states.
Overview
The 'show ospf neighbor' command is a fundamental troubleshooting tool for OSPF (Open Shortest Path First) routing protocol on Cisco ASA firewalls. It displays the OSPF neighbor table, which lists all adjacent routers with which the ASA has formed or is attempting to form an OSPF adjacency. This command is essential for verifying that OSPF adjacencies are established correctly, monitoring neighbor states, and diagnosing issues such as mismatched parameters, authentication failures, or network connectivity problems.
OSPF is a link-state routing protocol that uses hello packets to discover and maintain neighbor relationships. The neighbor state machine progresses through states: DOWN, ATTEMPT, INIT, 2WAY, EXSTART, EXCHANGE, LOADING, and FULL. The 'show ospf neighbor' output shows the current state for each neighbor, which indicates the health of the adjacency. On Cisco ASA, OSPF operates similarly to IOS, but with some platform-specific behaviors: ASA supports OSPFv2 for IPv4 and OSPFv3 for IPv6, and it can run multiple OSPF processes. The ASA also supports OSPF in routed mode only; transparent mode does not support dynamic routing.
When troubleshooting, this command is often the first step. A neighbor stuck in INIT suggests that the ASA has received a hello from the neighbor but the neighbor has not received a hello back (possibly due to unicast vs multicast issues or ACL blocking). A neighbor stuck in EXSTART or EXCHANGE indicates problems with database descriptor (DD) packet exchange, often due to MTU mismatch or mismatched OSPF options. The command also shows the DR/BDR roles on multi-access networks, which is critical for understanding the OSPF topology. By using the 'detail' keyword, engineers can view additional information such as retransmission queue length, uptime, and number of state changes, which help in identifying flapping adjacencies or packet loss.
show ospf neighbor [interface-name] [neighbor-id] [detail]When to Use This Command
- Verify OSPF neighbor adjacencies after configuration changes.
- Troubleshoot OSPF adjacency issues (e.g., stuck in INIT or EXSTART).
- Monitor OSPF neighbor state changes during network events.
- Check DR/BDR elections on multi-access networks.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| interface-name | interface-type interface-number | Specifies the interface to display neighbors for. If omitted, all neighbors are shown. |
| neighbor-id | A.B.C.D | Router ID of a specific neighbor to display. If omitted, all neighbors are shown. |
| detail | detail | Displays detailed information about each neighbor, including DR/BDR, retransmission stats, and uptime. |
Command Examples
Basic OSPF neighbor display
show ospf neighborNeighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:35 192.168.1.2 GigabitEthernet0/1 10.1.1.3 1 FULL/BDR 00:00:32 192.168.1.3 GigabitEthernet0/1 10.1.2.2 1 FULL/ - 00:00:38 10.1.2.2 GigabitEthernet0/2
Neighbor ID: Router ID of neighbor. Pri: OSPF priority. State: Adjacency state (FULL) and role (DR/BDR/-). Dead Time: Time until neighbor declared dead. Address: Neighbor interface IP. Interface: Local interface.
Detailed OSPF neighbor information
show ospf neighbor detail Neighbor 10.1.1.2, interface address 192.168.1.2
In the area 0.0.0.0 via interface GigabitEthernet0/1
Neighbor priority is 1, State is FULL, 6 state changes
DR is 192.168.1.2, BDR is 192.168.1.3
Options is 0x52
Dead timer due in 00:00:33
Neighbor is up for 02:15:47
Index 1/1, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 0, time is 0 msec
Last retransmission scan time is 0 msecShows detailed info: area, interface, priority, state changes, DR/BDR, options, dead timer, uptime, retransmission queue stats.
Understanding the Output
The 'show ospf neighbor' output displays each OSPF neighbor in a row. Key fields: Neighbor ID (Router ID), Pri (priority used for DR/BDR election), State (adjacency state and role), Dead Time (time remaining before neighbor is declared dead), Address (neighbor's interface IP), Interface (local interface). A healthy neighbor shows State as FULL (for point-to-point or DR/BDR) or 2WAY (for non-DR/BDR on multi-access). Dead Time should be decreasing and reset upon receiving hello packets. Problem states include INIT (hello received but not bidirectional), EXSTART/EXCHANGE (database descriptor exchange issues), or DOWN. High retransmission counts or queue lengths indicate packet loss or misconfiguration. In multi-access networks, the DR and BDR roles are indicated (e.g., FULL/DR). The priority field determines election; a priority of 0 means the router cannot become DR/BDR. The Dead Time should be consistent with the configured dead interval (default 40 seconds).
Configuration Scenarios
Verifying OSPF adjacency after configuration
An ASA is configured with OSPF in area 0. After applying the configuration, verify that neighbors are forming adjacencies.
Topology
ASA1 (G0/1: 192.168.1.1/24) --- (G0/0: 192.168.1.2/24) ASA2
ASA1 (G0/2: 10.1.1.1/24) --- (G0/1: 10.1.1.2/24) Router1Steps
- 1.Configure OSPF on both ASAs and Router1.
- 2.Use 'show ospf neighbor' to verify adjacencies.
! ASA1 configuration router ospf 1 network 192.168.1.0 0.0.0.255 area 0 network 10.1.1.0 0.0.0.255 area 0 ! ASA2 configuration router ospf 1 network 192.168.1.0 0.0.0.255 area 0
Verify: ASA1# show ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/ - 00:00:35 192.168.1.2 GigabitEthernet0/1 10.1.1.3 1 FULL/ - 00:00:32 10.1.1.2 GigabitEthernet0/2
Watch out: Ensure OSPF is enabled on the correct interfaces and that there are no ACLs blocking OSPF multicast (224.0.0.5/6).
Troubleshooting with This Command
When troubleshooting OSPF neighbor issues on Cisco ASA, start with 'show ospf neighbor' to identify the current state. If neighbors are missing or stuck in INIT, check the following:
1. **Interface state**: Ensure the interface is up/up and OSPF is enabled on it. Use 'show ospf interface' to verify. 2. **Hello/Dead timers**: Mismatched timers prevent adjacency. Default hello is 10 sec, dead 40 sec. Use 'show ospf interface' to check. 3. **Network type**: Mismatched network types (e.g., broadcast vs point-to-point) can cause issues. ASA defaults to broadcast on Ethernet. 4. **Authentication**: If configured, ensure both sides use the same authentication type and key. 5. **ACLs**: Check if ACLs block OSPF multicast (224.0.0.5 for all OSPF routers, 224.0.0.6 for DR/BDR). 6. **MTU**: Mismatched MTU can cause stuck in EXSTART/EXCHANGE. Use 'show ospf neighbor detail' to see retransmission counts. 7. **Passive interface**: If an interface is configured as passive, it will not send hellos, so no neighbor forms. Use 'no passive-interface' under OSPF process.
If neighbors are in FULL but routes are missing, check the OSPF database with 'show ospf database' and verify route redistribution if applicable. On ASA, OSPF can be used with VPNs and contexts; ensure OSPF is configured in the correct context and that interfaces belong to the correct VRF if using multiple routing tables.
CCNA Exam Tips
Remember that FULL state indicates a complete adjacency; 2WAY is normal for non-DR/BDR routers on multi-access networks.
On ASA, OSPF is supported in routed mode only; transparent mode does not support OSPF.
The 'show ospf neighbor detail' command is useful for troubleshooting retransmission issues and verifying DR/BDR elections.
Common Mistakes
Assuming FULL state is required for all neighbors; on multi-access networks, non-DR/BDR routers remain in 2WAY.
Forgetting that ASA OSPF does not support passive interfaces by default; must configure 'passive-interface' under OSPF process.
Misinterpreting Dead Time as time since last hello; it is time until expiration, counting down.
Platform Notes
On Cisco ASA, OSPF behavior is similar to Cisco IOS but with some differences: - ASA supports OSPFv2 and OSPFv3, but OSPFv3 is only for IPv6. - ASA does not support OSPF in transparent firewall mode; it must be in routed mode. - The 'show ospf neighbor' command output format is identical to IOS. - ASA supports multiple OSPF processes (up to 2 by default, configurable). - OSPF on ASA can be used with site-to-site VPNs, but careful routing design is needed. - Equivalent commands on other platforms: On Juniper JunOS, 'show ospf neighbor' provides similar info; on Palo Alto, 'show routing protocol ospf neighbor'. - In ASA version 9.x and later, OSPF features are enhanced, including support for OSPFv3 address families.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions