Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff & Editor
Staff & Editor

Created on ‎01-31-2022 10:22 AM Edited on ‎11-24-2025 05:57 AM By Moderator

Article Id 204002

Troubleshooting Tip: OSPF neighbor stuck in INIT state

Description

This article explains how to resolve an OSPF neighbor issue where the OSPF is stuck in the INIT state.
Scope

FortiGate v6.2, v6.4, v7.0, v7.2, v7.4 and v7.6.
Solution

Topology:OSPF_Switch.png

OSPF uses multicast IP 224.0.0.5 to send HELLO and to share routing information such as link-state advertisement (LSA) to its neighbor(s). Sometimes, the multicast packets can get dropped between the source and destination. When this happens, the other side will not receive the HELLO packets and will therefore be unable to pass the INIT state.

 

For clarity, these are the states OSPF routers pass through to form neighbors:

  • Down State.
  • Attempt State.
  • INIT State.
  • 2-Way State.
  • Exstart State.
  • Exchange State.
  • Loading State.
  • Full State (OSPF became fully operational).

 

Until the neighbors are in FULL State, the network will not function.

 

Neighbor routers get stuck in an INIT state when an OSPF router fails to receive its neighbor HELLO packets. This can be due to a couple of reasons.

 

Below are some common causes and suggested solutions.

 

 

  1. There is a Firewall in-between the OSPF neighbors that drops OSPF multicast packets.

 

  • If admin access to the Firewall is available, permit 224.0.0.5 from OSPF routers.
  • If no control over the network is available, use UNICAST OSPF.

See Technical Tip: How to configure OSPF over Non-Broadcast link.

 

  • Check if OSPF multicast is being sent and received, or is being sent only. If it is 1-way and not 2-way, OSPF will get stuck in INIT. Fix the drop or use unicast OSPF (set the network type to non-broadcast and specify the neighbor manually).

Example of 1-way HELLOs:

 

diagnose sniffer packet any "proto 89" 4 0 l 

 

Line 26: 2.523359 portX out 192.168.X.Y -> 224.0.0.5: ip-proto-89 60
Line 27: 12.493354 portX out 192.168.X.Y -> 224.0.0.5: ip-proto-89 60
Line 28: 22.013359 portX out 192.168.X.Y -> 224.0.0.5: ip-proto-89 60
Line 29: 32.462481 portX out 192.168.X.Y -> 224.0.0.5: ip-proto-89 60
Line 30: 42.251139 portX out 192.168.X.Y -> 224.0.0.5: ip-proto-89 60
Line 31: 51.970889 portX out 192.168.X.Y -> 224.0.0.5: ip-proto-89 60
Line 32: 62.049800 portX out 192.168.X.Y -> 224.0.0.5: ip-proto-89 60
Line 33: 72.219987 portX out 192.168.X.Y -> 224.0.0.5: ip-proto-89 60

 

 

  1. One side of the OSPF neighbors uses authentication while the other does not.

To resolve this, configure authentication on both sides or remove it from the side that has it configured.

See Technical Tip: How to configure OSPF MD5 authentication and Technical Tip: Configuring and Verifying OSPF HMAC-SHA Authentication on FortiOS

 

  1. HELLOs are dropped at Layer 2.

Troubleshoot the switched network, especially if it was working before. Check for what changed. This may also be a result of broken hardware. Look for Tx and Rx HELLO packets. If HELLOs are being dropped, fix the drops.

 

  1. The switched network in between no longer has Multicast capability.

Enabling some features can cause the switch to lose Multicast capability. The details of this are beyond this article's scope.

 

  1. MTU mismatch between the neighbors.

Check the MTU. If there is a mismatch, set the OSPF neighbors to ignore MTU. Alternatively, adjust the MTU to the same size.
Reference: Technical Tip: How is MTU mismatch identified in OSPF.

 

The following details are shown within the hello packet:

  • Area ID.
  • Router ID.
  • Hello/Dead interval.
  • Authentication.
  • Network/subnet mask.

The following commands assist with troubleshooting an OSPF stuck in an INIT state:

Note: Run this on both neighbors.

 

get router info ospf interface

 

Example:

 

get router info ospf interface

portX is up, line protocol is up

  Internet Address 192.168.X.Y/30, Area 0.0.0.0, MTU 1500

  Process ID 0, VRF 0, Router ID 192.168.X.Y, Network Type POINTOPOINT, Cost: 1

  Transmit Delay is 1 sec, State Point-To-Point

  Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5

    Hello due in 00:00:08

  Neighbor Count is 0, Adjacent neighbor count is 0

  Crypt Sequence Number is 7900942

  Hello received 14467 sent 75124, DD received 780 sent 906    <----- HELLOs are being dropped.

  LS-Req received 78 sent 261, LS-Upd received 27423 sent 376

  LS-Ack received 298 sent 24409, Discarded 0

  Cryptographic authentication enabled          <----- Authentication is configured.

  Sending SA: Key 1

 

diagnose sniffer packet any 'host 224.0.0.5' 4

 

Or:

 

diagnose sniffer packet any " proto 89 " 4 0 a

 

Run the following debug commands and check the reason for OSPF failure getting stuck in the INIT state.

 

diagnose debug reset

diagnose ip router ospf all enable

diagnose ip router ospf level info
diagnose debug enable

 

diagnose debug disable <----- Disable the debug.

 

Related documents:
Labels:
20634
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.