FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff
Article Id 196029
Description


-When the next hop of the redistributed connected, static, dynamic protocols is not part of NSSA Area, the forwarding address field may only be filled with an address from one of its active interfaces present on the FGT.
- As illustrated, FGT-A and FGT-B are in OSPF NSSA Area 0.0.0.21.

- There is VLAN100 passed on SWITCH-1 & SWITCH-2 so that FGT-A & FGT-B can communicate with each other to form the OSPF NSSA neighborship in area 0.0.0.21.
This OSPF cost for this link is 0.

- IPSEC-VPN link between these FortiGate which also forms the OSPF NSSA neighborship in area 0.0.0.21 but it has configured with higher cost 1000, so that it will act as backup link.

-FGT-A redistribute the external route 192.168.10.0/24 to FGT-B with 'NSSA: Forward Address' as 10.10.10.1.

- When the Physical link between SWITCH-1 & SWITCH-2 goes down, the VLAN100 interface operational status would be UP on both the FGT-A & FGT-B.
This happens as FGT-A to SWITCH-1 & FGT-B to SWITCH-2 physical links are UP.

-The OSPF goes down as 10.10.10.1 cannot reach 10.10.10.2 over VLAN100.

-However, the FGT-A still keep on redistributing the external route 192.168.10.0/24 to the FGT-B over the backup IPSec link with 'NSSA: Forward Address' as 10.10.10.1 instead of IPsec interface IP 10.20.20.1. This happens as VLAN100 operational status is UP on FGT-A.

- FGT-B forward the traffic for external subnet 192.168.10.0/24 on VLAN100 and traffic gets black-holed on VLAN100.

Solution
- To avoid such issues, configure Loopback IP in the OSPF NSSA Area 0.0.0.21 on both FGT-A & FGT-B.

- When we configure FGT-A with loopback IP 172.16.1.1/32 and FGT-B with loopback IP 172.16.2.2/32 and then define those loopback IP in the OSPF NSSA Area in “config network” , the FGT-A redistribute the external route 192.168.10.0/24 to the FGT-B using NSSA  Forward address as loopback IP 172.16.1.1/32 (as per https://tools.ietf.org/html/rfc3101#section-12.4.4.1).

-FGT-A loopback address 172.16.1.1/32 will get reachable over the IPsec interface and FGT-B can forward the traffic on IPSec interface instead of VLAN100 and prevent the traffic from getting black-holed.

FGT-A.
# config system interface
    edit "VLAN100"
        set vdom "root"
        set ip 10.10.10.1 255.255.255.252
        set allowaccess ping
        set device-identification enable
        set role lan
        set snmp-index 6
        set interface "lan1"
        set vlanid 100
    next
    edit "IPSEC-VPN"
        set vdom "root"
        set ip 10.20.20.1 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 10.20.20.2 255.255.255.252
        set snmp-index 7
        set interface "wan"
    next
    edit "Loopback0"
        set vdom "root"
        set ip 172.16.1.1 255.255.255.255
        set allowaccess ping
        set type loopback
        set snmp-index 8
    next
end

# config router ospf
    set router-id 10.10.10.1
    # config area
        edit 0.0.0.21
            set type nssa
        next
    end
    # config ospf-interface
        edit "VLAN100"
            set interface "VLAN100"
        next
        edit "IPSEC-VPN"
            set interface "IPSEC-VPN"
            set cost 1000
        next
    end
    # config network
        edit 1
            set prefix 10.10.10.0 255.255.255.252
            set area 0.0.0.21
        next
        edit 2
            set prefix 10.20.20.0 255.255.255.252
            set area 0.0.0.21
        next
        edit 3
            set prefix 172.16.1.1 255.255.255.255
            set area 0.0.0.21
        next       
    end
    # config redistribute "connected"
    end
    # config redistribute "static"
        set status enable
    end
    # config redistribute "rip"
    end
    # config redistribute "bgp"
    end
    # config redistribute "isis"
    end
end

# config router static
    edit 1
        set dst 192.168.10.0 255.255.255.0
        set device “port1”
        set gateway 10.30.30.2
    next
end
FGT-B.

# config system interface
    edit "VLAN100"
        set vdom "root"
        set ip 10.10.10.2 255.255.255.252
        set allowaccess ping
        set device-identification enable
        set role lan
        set snmp-index 6
        set interface "lan1"
        set vlanid 100
    next
    edit "IPSEC-VPN"
        set vdom "root"
        set ip 10.20.20.2 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 10.20.20.1 255.255.255.252
        set snmp-index 7
        set interface "wan"
    next
    edit "Loopback0"
        set vdom "root"
        set ip 172.16.2.2 255.255.255.255
        set allowaccess ping
        set type loopback
        set snmp-index 8
    next
end

# config router ospf
    set router-id 10.10.10.2
    # config area
        edit 0.0.0.21
            set type nssa
        next
    end
    # config ospf-interface
        edit "VLAN100"
            set interface "VLAN100"
        next
        edit "IPSEC-VPN"
            set interface "IPSEC-VPN"
            set cost 1000
        next
    end
    # config network
        edit 1
            set prefix 10.10.10.0 255.255.255.252
            set area 0.0.0.21
        next
        edit 2
            set prefix 10.20.20.0 255.255.255.252
            set area 0.0.0.21
        next
        edit 3
            set prefix 172.16.2.2 255.255.255.255
            set area 0.0.0.21
        next       
    end
    # config redistribute "connected"
    end
    # config redistribute "static"
        set status enable
    end
    # config redistribute "rip"
    end
    # config redistribute "bgp"
    end
    # config redistribute "isis"
    end
end
Below is the command to check the NSSA Forward Address for LSA.
# get router info ospf database nssa-external lsa <PREFIX>

Contributors