FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pkavin
Staff
Staff
Article Id 216048
Description

This article describes a scenario when external Routes with the same cost 'ECMP' to the ASBRs are not installed on the routing table or database.

Scope

FortiGate.

Solution

FortiGate by default has RFC1583 Compatibility disabled. Therefore, it is expected that FortiGate will only install one external route in the routing table even if the cost is equal.

 

The tie-breaker, in this case, is the OSPF area ID, an external route with the largest OSPF area ID will be selected.

 

- RFC1583 Compatibility Configuration.


# config router ospf

set rfc1583-compatible enable

end

 

Note: The above change will force all OSPF adjacencies to restart. Thus, it is highly recommended to make the change in a maintenance window.

 

Troubleshooting steps:

 

- Check the RFC1583 Compatibility status.

 

# config router ospf

# get 

 

- Check the external LSA, the external routes can be seen in the OSPF external LSA database. The routes should have the same metric to the advertised router and the forwarding address should be 0.0.0.0 in this case.

 

# get router info ospf database external lsa X.X.X.X<-- X.X.X.X is the external route

 

- If the routes in the external LSA are valid with the same cost, the route should be in the routing table if the rfc1583-compatible enable.

 

As shown in the below topology, FortiGate has two OSPF adjacencies with R1 and R2.

The OSPF area between FortiGate and R1 is area 2 and area 3 between FortiGate and R2, both areas are normal OSPF areas.

 

However, the areas can be special areas such as stubby or NSSA.

 

Both R1 and R2 are ASBR, they are redistributing the subnet 172.16.1.1/32 into OSPF from another administrative domain.

 

pkavin_0-1656369525329.png

 

- Expected Behavior with RFC1583 Compatibility disabled 'default'.

 

# FortiGate-VM64-KVM # config router ospf

FortiGate-VM64-KVM (ospf) # get

rfc1583-compatible  : disable

!

FortiGate-VM64-KVM # get router info ospf neighbor

OSPF process 0, VRF 0:

Neighbor ID     Pri   State           Dead Time   Address         Interface

2.2.2.2           1   Full/ -         00:00:34    192.168.22.1   port2

3.3.3.3           1   Full/ -         00:00:36    192.168.33.1    port3

!

FortiGate-VM64-KVM # get router info routing-table details

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

       O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default

 

Routing table for VRF=0

O E2    172.16.1.1/32 [110/20] via 192.168.33.1, port3, 00:00:44 ---> only one route in the routing table via area3

C       192.168.10.0/24 is directly connected, port1

C       192.168.22.0/24 is directly connected, port2

C       192.168.33.0/24 is directly connected, port3

!

FortiGate-VM64-KVM # get router info ospf database external lsa 172.16.1.1

 

AS External Link States ---> OSPF database learnt the route 172.16.1.1 via the two adjacencies.

 

LS age: 1732

Options: 0x20 (*|-|DC|-|-|-|-|-)

LS Type: AS-external-LSA

Link State ID: 172.16.1.1 (External Network Number)

Advertising Router: 2.2.2.2

LS Seq Number: 80000001

Checksum: 0x11c8

 Length: 36

 Network Mask: /32

        Metric Type: 2 (Larger than any link state path)

        TOS: 0

        Metric: 20

        Forward Address: 0.0.0.0

        External Route Tag: 0

 

  LS age: 1759

  Options: 0x20 (*|-|DC|-|-|-|-|-)

  LS Type: AS-external-LSA

  Link State ID: 172.16.1.1 (External Network Number)

  Advertising Router: 3.3.3.3

  LS Seq Number: 80000001

  Checksum: 0xf2e2

  Length: 36

  Network Mask: /32

        Metric Type: 2 (Larger than any link state path)

        TOS: 0

        Metric: 20

        Forward Address: 0.0.0.0

        External Route Tag: 0

 

- Expected Behavior with RFC1583 Compatibility enabled.

 

FortiGate-VM64-KVM # config router ospf

FortiGate-VM64-KVM (ospf) # set rfc1583-compatible enable

!

FortiGate-VM64-KVM # get router info routing-table details

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

       O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default

 

Routing table for VRF=0

O E2    172.16.1.1/32 [110/20] via 192.168.22.1, port2, 00:00:01 <----- Once enabled the two routes are installed in the routing table.

                                       [110/20] via 192.168.33.1, port3, 00:00:01

C       192.168.10.0/24 is directly connected, port1

C       192.168.22.0/24 is directly connected, port2

C       192.168.33.0/24 is directly connected, port3

 

Reference:

https://datatracker.ietf.org/doc/html/rfc2328#section-16.4.1

Contributors