OSPF over VPN - neighbor issues. Ping is OK
Hi All,
Hoping someone can help. We have setup a IPSec tunnel between our OnPrem FortiGate and Azure FortiVM.
We have configured each end of the transit tunnel with IP addresses in a /30 network:
- 10.1.15.200/30 Network
- 10.1.15.201/30 OnPrem VPN Interface
- 10.1.15.202/30 Azure VPN Interface
- 10.1.15.203/30 Broadcast
Policy is in place so that ANY LAN traffic can get either way down the tunnel as required.
We have a couple of client/servers networks also going over this tunnel. Using static routes on both ends, we can reach each other; PING, SMB, RDP, SSH etc - great.
However, we want to advertise our OnPrem OSPF into Azure so we can get rid of the statics.
We added the VPN Interface into our existing OSPF Area 0.0.0.0. We have also configured the same items on the Azure side.
However, OSPF neighbors are not coming up correctly.
Our OnPrem Fortigate (Notice the Init status)
get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
10.1.15.202 1 Init/ - 00:00:40 10.1.15.202 OnPrem-Azure
Azure Fortigate shows no neighbors
get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
The next step I did was to look at the ospf interfaces to see what (if anything) is happening...
get router info ospf interface
I noticed 2 things:
- The OnPrem device stated MTU 1422 for the ospf interface and the Azure device was MTU 1420.
- The OnPrem device can both receive and send HELLO ospf packets. The Azure device can only send Hello ospf packets. It hasn't received a single one :(
So I used this command to set the MTU manually on the Azure device only as I've seen they have the match for OSPF to chat.
config router ospf
config ospf-interface edit "Azure-OnPrem"
set mtu 1422
next
end
The MTU now matches on both devices, but the OSPF status hasn't changed. Ideas anyone?