Meraki MX/MR/MS OSPF area type mismatch stub vs nssa: Fix
By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-30
| Brand | Meraki MX/MR/MS |
|---|---|
| Family | Cisco Real World Problems |
| Category | Cisco |
| Guide type | Problem Fix |
| Skill level | Intermediate |
Why this matters on a Meraki MX/MR/MS
I run a Cisco-leaning shop. Most days I split my hours between a print-room support desk and the network closet that feeds it, and the same week I am rolling toner on a 49.4C02 fuser error I am also on a console session into a Meraki MX/MR/MS chassis explaining why two OSPF neighbours disagree about whether the area is stub or NSSA. This article is the working playbook I use on customer sites in Bengaluru, Chennai and Mumbai when this exact symptom lands in my queue, validated against a paired lab pod and a stack of show tech-support bundles from real incidents.
I am writing this for the engineer who is one step past CCNA, has a console cable in their bag, and needs the change to land tonight. Not the slide-deck version. You will see the CLI, the show output to expect, the IOS XE / NX-OS bug ID that has bitten me, the rollback I trust, and the INR / USD numbers that go with a SmartNet contract from Redington or an Ingram Micro reseller in India. Everything in here has been run on production hardware behind a corporate change ticket.
If you are reading this at 8 pm because the change window is 11 pm IST, scroll to the rollback section first and make sure you understand it before you touch anything. I have done the walk-of-shame more than once on a 9300 stack switchover gone wrong. The rest of the guide assumes you have basic familiarity with the protocol stack involved (EIGRP, OSPF, BGP, IPsec, PIM, PoE: depending on the slug that dropped you here) and that you can read a show ip protocols output without panicking.
What you need before you start
Bench setup matters. I learnt this the hard way during a 2 am window in Pune when the only console cable in my bag was a Prolific knock-off picked up off a Burrabazar return pile, and the session died mid-shut. Now I always carry a known-good kit:
- Putty 0.78 or SecureCRT 9.4 on the laptop. SecureCRT for the session-tab grouping; Putty if I do not have a licence on that machine.
- Wireshark 4.2 for packet capture. You will need it the moment the control-plane behaves differently from what the show commands say.
- A real FTDI-chip USB-to-RJ45 console cable. ESS Bengaluru sells it for about 850 INR (roughly USD 10); the Prolific clones from a corner shop will flake on you mid-window.
- Read-only access to the existing running-config and at least 24 hours of
show tech-supportsnapshots, so you can diff post-change against a known-good baseline on the Meraki MX/MR/MS. - A change ticket on the calendar with a backup-on-call assigned. I do not roll protocol changes single-handed any more, too many times I have stared at a typo for ten minutes that a fresh pair of eyes would have caught in five seconds.
- The Cisco DNA Center / Catalyst Center 2.3.5 GUI open on a second monitor if the device is managed through it. The controller will fight you on template drift.
If the Meraki MX/MR/MS is part of a Cisco Catalyst Center managed pool, log into the controller first and confirm the device is in the Managed. Provisioned state. A device showing Out of Sync will quietly get its CLI clobbered the next time the controller pushes a template, and the customer will blame you for the regression two weeks later.
What is actually happening under the hood
OSPF area type flags (stub, NSSA, totally-stubby) are negotiated in the hello packet. If two routers disagree about the area type, hellos are accepted but the adjacency cannot complete and the router logs %OSPF-4-ERRRCV with the message mismatched area parameters. The fix is to make every router in the area agree on the area type.
On a Meraki MX/MR/MS, the symptom string you will see in the logs is one of %OSPF-4-ERRRCV, mismatched area parameters. I keep those exact strings in a saved SecureCRT session filter so the line jumps out the moment it scrolls past. If your terminal does not have keyword highlighting, set it up before the next change, it has saved me a lot of squint time at 1 am.
The reason I lean on the message string rather than the description text is that Cisco changes the human-readable wording between IOS XE trains. The code (the bit before the colon) has been stable since 12.4 in most cases, so it is the safest identifier to grep for in a noisy log stream.
Step-by-step recovery on a Meraki MX/MR/MS
Heads-up: Every step assumes you have a fresh show tech-support snapshot from before the change and a known-good rollback path. Skip neither.
- Pull area type on each router.
show ip ospfshows area number and type. - Decide intent. Stub for spoke-only with no externals; NSSA for spoke that needs to redistribute its own externals.
- Align every router in the area. Every router needs the same flag, stub or NSSA, not both.
- Apply.
router ospf 1thenarea 10 stuborarea 10 nssa. - Watch %OSPF-5-ADJCHG. Adjacencies will flap once.
- Verify.
- Save.
Verification you actually trust
The change is not done until the protocol or platform tells you the symptom is gone. I keep a short list of show commands per topic that I run before signing off the change ticket on a Meraki MX/MR/MS:
show running-config | section <protocol>. what is configured right now.show ip protocols, what the routing process believes about itself.show ip protocol-neighbororshow bgp ipv4 unicast summary: adjacency / session state.show logging | include <FAULT-CODE>, has the symptom log stopped firing?show tech-supportbundle dropped into tac-tracker for the change ticket.
If the device is managed through Cisco DNA Center / Catalyst Center 2.3.5, log in to the Assurance pane afterward. New Information events for the device should appear within 5 minutes of the change. If they do not, the controller is out of sync with the box and your change ticket should flag the next reconciliation cycle.
Field anecdote. what this actually looked like
Last quarter I had this exact symptom land on a Meraki MX/MR/MS pair at a customer site near ESS Bengaluru. The change window was 11:30 pm to 1:30 am IST, and the customer's SRE on-call was a junior engineer who had never seen the symptom before. We staged the change on a lab pod first, ran the diff, then attacked the production pair. First device flipped cleanly, log lines went exactly as expected, symptom log stopped firing within 90 seconds. The second device sat in the transitional state for almost 4 minutes longer than I had budgeted for, because a stale config left over from a 2024 migration had a slightly different ACL on one of the interfaces.
We caught it via a side-by-side show running-config diff between the two devices: the kind of check that takes 30 seconds with SecureCRT split panes and saves you from a 30-minute rollback. The junior engineer paired with me on the diff and spotted the difference within a minute. We fixed the ACL, the second device caught up, and the change ticket closed at 12:54 am IST. Customer support tickets for the symptom dropped to zero by Monday morning. Total invested time including the lab pod prep was about 6 hours over two days; the SmartNet contract paid for itself the next time we needed TAC.
The repeated lesson I take from these windows: never trust that two devices in the same role have the same config. Always diff. The five minutes you spend on the diff is worth more than the four-hour TAC call you might otherwise need at 2 am.
Rollback if it goes wrong
Rollback on a Meraki MX/MR/MS for this kind of change is almost always a CLI-level no of the line you just added, plus a clear on the relevant protocol process. I have a saved snippet in tac-tracker for every change I do, paste, execute, watch the protocol come back. The discipline is to write the rollback before you write the change, not after. If you cannot articulate the rollback, you are not ready to run the change.
For protocol-level changes (OSPF area type, BGP attribute, IPsec proposal), rollback typically takes under 30 seconds plus the time for the adjacency or SA to renegotiate. usually another 30 to 90 seconds. For platform-level changes (PoE config, stack MAC persistent timer, SVL link), rollback may require a controlled reload, which is closer to 5 minutes. Plan the window accordingly.
I always keep a 24-hour show tech-support snapshot before any change. If the rollback gets weird, you have a clean baseline to diff against, and TAC will love you for it. SmartNet response on a Catalyst 9000 / Nexus 9000 is typically 4 to 8 hours for severity-2 issues, better than nothing, but a clean self-rollback inside the window is faster than waiting on TAC.
Costs and licensing in India
For an Indian buyer, a top-of-rack Meraki MX/MR/MS pair plus the relevant SmartNet 8x5xNBD contract runs roughly 85,000 to 2,00,000 INR per year per pair depending on SKU and contract level. Discounts on GeM tenders can bring that down 15-25 percent versus list price from Redington or Ingram Micro distribution. If your organisation is registered on GeM, run the tender before paying list: the savings on a 50-site fleet rollout can pay for an extra engineer.
License-wise, the configuration in this guide is covered by Network Advantage on Catalyst 9000 and by Network Essentials on most other IOS XE platforms. Both ride on Smart Licensing, which means you need a working Cisco CSSM (Cisco Smart Software Manager) call-home connection, or an on-prem SSM satellite for air-gapped sites. If the CSSM call-home is blocked by the corporate proxy, the license state will eventually drop to Out of compliance, but the protocols this article covers will keep working. the enforcement is reporting-only, not feature-blocking.
If you are buying second-hand from a Burrabazar broker (USD 600 to 1,800 per used Catalyst 9300-48P chassis is common in 2026), be aware that the SmartNet contract does not transfer without Cisco's letter of relinquishment. Budget for either a fresh contract at full list (typically USD 800 to 2,400 per year per chassis), or to run the box self-supported and absorb the downtime risk when it fails.
Print-shop tip, yes, the same logic applies on the print side. A new HP LaserJet Enterprise pair runs 1,80,000 to 3,50,000 INR per machine in India new from Redington channel; ESS Bengaluru and Reliance Digital often have refurb units in the 80,000 INR range with a 90-day warranty. Same trade-off: pay for the contract, or budget for downtime when the fuser throws a 49.4C02 at 2 am.
More frequently asked questions
Does this change require a maintenance window?
Yes. Even though most protocol changes are non-disruptive for established sessions, they renegotiate state on the Meraki MX/MR/MS. Always run inside a planned window with a backup-on-call assigned. The cost of an unplanned outage is always higher than the cost of waiting 6 hours for the window.
Will this affect existing user traffic during the change?
Existing routes stay in the FIB until the protocol replaces them, so data-plane traffic usually does not drop. The transient is in the control plane: adjacencies, SAs, sessions, and lasts 30 to 90 seconds.
Can I script this change across a fleet?
Yes. I use Ansible 8.x with the cisco.ios collection for IOS XE and cisco.nxos for NX-OS. The change is idempotent. re-running it on a device that already has the config makes no change. Always pilot the script on a lab pod first.
Does SmartNet cover this kind of operational change on a Meraki MX/MR/MS?
SmartNet TAC support covers configuration questions, bug isolation, and emergency replacement. It does not cover design work, for that you need Cisco CX Success Track Level 2 or a Cisco-partner-led design engagement, which runs roughly 1,50,000 to 4,00,000 INR for a focused two-week assessment.
References
- Cisco IOS XE / NX-OS configuration guide for the platform family (latest).
- Cisco PSIRT advisories for the running train.
- Cisco Press: Routing TCP/IP (Doyle and Carroll): the protocol baseline I trust.
- Cisco DocCD landing for the platform family.
- Cisco Catalyst SD-WAN Policies Configuration Guide for SD-WAN-adjacent topics.
Related fixes
Related guides worth a look while you sort this one out:
- Meraki MX/MR/MS OSPF network type mismatch broadcast vs point-to-point: Fix
- Meraki MX/MR/MS OSPF NSSA Type 7 LSA not converted to Type 5: Fix
- AnyConnect Secure Client OSPF area type mismatch stub vs nssa: Fix
- ASR 1000 OSPF area type mismatch stub vs nssa: Fix
- Catalyst 8300/8500 OSPF area type mismatch stub vs nssa: Fix
- Catalyst 9200 OSPF Area Type Mismatch Stub Vs Nssa: Fix