Technical Tip: OSPF Neighbor Status Flapping through IPsec VPN

This article describes that OSPF neighbor status keeps on changing in Init -> ExStart -> Full -> Init…

get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
172.x.x.11 1 Init/ - 00:00:33 10.0.x.113 Tunnel_1

get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
172.x.x.11 1 ExStart/ - 00:00:38 10.0.x.113 Tunnel_1

get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
172.x.x.11 1 Full/ - 00:00:36 10.0.x.113 Tunnel_1

Init state: A Hello packet has recently been seen from the neighbor. However, bidirectional communication has not yet been established with the neighbor.

Full state: The normal operating state of OSPF that indicates everything is functioning normally.

When the OSPF neighbor state moves Full/, it means there is no DR or BDR, as it is a point-to-point network.

The hello timers should be 10-40. If this is set up correctly, a point-to-point network with no DR and BDR election will not occur.

IPsec VPN Tunnel_1 is up.

Packet sniffer for protocol 89, traffic is coming in, no reply.

diagnose sniffer packet any "host 10.0.x.113 and ip proto 89" 4
interfaces=[any]
filters=[host 10.0.x.113 and ip proto 89]

Tunnel_1 in 10.0.x.113 -> 224.0.0.5: ip-proto-89 1400 (frag 25896:1400@0+)
Tunnel_1 in 10.0.x.113 -> 224.0.0.5: ip-proto-89 (frag 25896:72@1400)
Tunnel_1 in 10.0.x.113 -> 224.0.0.5: ip-proto-89 48
Tunnel_1 in 10.0.x.113 -> 224.0.0.5: ip-proto-89 1400 (frag 38952:1400@0+)
Tunnel_1 in 10.0.x.113 -> 224.0.0.5: ip-proto-89 (frag 38952:72@1400)
Tunnel_1 in 10.0.x.113 -> 224.0.0.5: ip-proto-89 64

From the FortiGate GUI, ping the remote 10.0.x.113, 100% packet loss.

FortiGate, all firmware.

VPN Tunnel_1 interface local IP 10.0.x.114/255.255.255.255 remote IP 10.0.x.113/255.255.255.255.

Change the remote IP subnet mask to 255.255.255.252.