Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gbamania
Staff
Staff

Created on ‎04-17-2023 11:05 PM Edited on ‎04-18-2023 09:36 AM By Moderator

Article Id 252855

Technical Tip: How to troubleshoot OSPF neighborship in various states

Description This article describes how to troubleshoot OSPF neighborship between firewalls/routers.
Scope FortiGate.
Solution

Topology:

 

gbamania_2-1681795249253.png

 

10.10.10.1 --> Router id: 1.1.1.1

10.10.10.2 --> Router id: 2.2.2.2

 

1) Init to 2-way state:

- In the 'Init' state, the firewall has sent the OSPF 'hello' packet but has not received the 'hello' packet from the neighbor firewall.

- The firewall stays in this state until it receives its router-id information in a 'hello' packet sent by the neighbor firewall or router.

 

gbamania_3-1681795249255.png

 

 

- In the snippet above, when the neighboring firewall/router receives the OSPF hello from 10.10.10.1, it enters the init state. It will stay in the init state until it receives the following type of hello packet from 10.10.10.1:

 

gbamania_4-1681795249256.png

 

- In the above snippet, an active neighbor router-id is added and sent over a multicast address.

- Once its neighbor 2.2.2.2 receives this hello packet, it will change the state from 'init' to a 2-way state.

- To add the active neighbor in the 'hello' packet, the following parameters are checked:

- Same Area.

- Same Layer3 broadcast network.

- Subnet mask.

- Hello and dead time intervals.

- Authentication.

- Matching stub flags.

 

2) 2-way to ExStart/Exhange/ Loading state:

The 2-way state is a bi-directional communication between routers.

 

- Once DR and BDR are elected, both routers consider them as 'Master' and set the flag to 'Y'. MTU values are also exchanged between them at this stage. Keep a note of the MTU.

 

gbamania_5-1681795249256.png

 

gbamania_6-1681795249257.png

 

- Once the master/slave relationship is established, DBD (Database Descriptor) packets were exchanged.

- MTU needs to be matched, otherwise, the neighbor-ship stuck in the Exstart state.

 

Note:

Sometimes, MTU does match on both sides but still, the neighbor-ship is stuck in the Exstart state because DBD/LSU packets are getting expired and they are unable to reach the other side.

This could be caused by an L2 switch or L2-WAN device (MPLS) which is placed between OSPF routers and does not forward packets at this MTU.

 

FortiGate can only send and received 5 Database Descriptors (DD) packets at a given point of time in a queue for all interfaces trying to form neighbor-ship. If multiple OSPF interfaces are negotiating at the same time, it will take some time to form the neighbor-ship between routers.

 

Note:

If OSPF interfaces are stuck in ExStart/Exchange state for some reason and the OSPF process queue is 5/5, then other OSPF interfaces will not be able to form neighbor-ship to 'Full' as well.

 

 

gbamania_7-1681795249259.png

 

 

Some user commands:

 

# diag sniffer packet any “proto 89” 6 0 l

# diag sniffer packet any “ host 224.0.0.5” 6 0 l

# get router info ospf neighbor

# get router info ospf interface

 
3917
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.