Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
darisandy
Staff
Staff

Created on ‎12-04-2025 01:11 AM

Article Id 421741

Troubleshooting Tip : OSPF not established between FortiGate and Palo Alto device when MD5 authentication enabled

Description This article describes the steps to troubleshoot OSPF issues between FortiGate and Palo Alto devices when MD5 authentication is enabled for neighborship.
Scope FortiGate.
Solution

OSPF MD5 authentication needs to be enabled per interface.

 

Example :

 

config router ospf
    set router-id 1.1.1.1
        config area
            edit 0.0.0.0
            next
        end
        config ospf-interface
            edit "port2"
                set interface "port2"
                set authentication message-digest
                    config md5-keys
                        edit 10
                            set key-string ENC BIAIIIJ2Pk2jJOAkV2jq8pYm95IG1bRkQkzOgrcg610xR8v2f

8WUPP3o1zyF3prKfuWLyly0EJmmTONw7Qb0iHnaFiCPXtixgWnOMiNVj1qlXb22JN/lm5FSk8PJrmU

7DGQFOONZc69DY8Tvn5Kd2p2LN2osEvSTU3QD+znj6osrvI3IZFv0AycIE6woyVoBUO9UpVlmMjY3dkVA
                        next
                    end
            next
            edit "port3"
                set interface "port3"
            next
        end

        config network
            edit 1
                set prefix 10.171.0.0 255.255.240.0    --> port2 subnet.
            next
            edit 2
                set prefix 10.121.0.0 255.255.240.0  --> port3 subnet.
            next
        end
end 

 

The remote OSPF router connected on port2 subnet needs to configure the MD5 key as well, with ID 10 to match what FortiGate configured.

 

An issue happened with the Palo Alto device (connected on port3 subnet) when MD5 authentication is enabled on the AREA setting, but no MD5 key on the interface port3.

 

config router ospf
    set router-id 1.1.1.1
        config area
            edit 0.0.0.0

                set authentication message-digest    <---
            next
        end
        config ospf-interface
            edit "port2"
                set interface "port2"
                set authentication message-digest
                    config md5-keys
                        edit 10
                            set key-string ENC BIAIIIJ2Pk2jJOAkV2jq8pYm95IG1bRkQkzOgrcg610xR8v2

f8WUPP3o1zyF3prKfuWLyly0EJmmTONw7Qb0iHnaFiCPXtixgWnOMiNVj1qlXb22JN/

lm5FSk8PJrmU7DGQFOONZc69DY8Tvn5Kd2p2LN2osEvSTU3QD+znj6osrvI3IZFv0AycIE6woyVoBUO9UpVlmMjY3dkVA
                        next
                    end
            next
            edit "port3"
                set interface "port3"
            next
        end
        config network
            edit 1
                set prefix 10.171.0.0 255.255.240.0    --> port2 subnet.
            next
            edit 2
                set prefix 10.121.0.0 255.255.240.0  --> port3 subnet.
            next
        end
end 

 

FortiGate will send out MD5 key ID 10 in the HELLO packet on port2 as configured, but it's key ID 0 on port3.

 

Packet capture snippet:

Port2:

 

OSPF01.png

 

Port3:

 

OSPF02.png

 

The Palo Alto device seems not able to process the HELLO packet with Key ID 0.

OSPF neighborship was NOT established.

 

Workaround:

  1. Disable AREA authentication, so port3 will send out HELLO packet with 'Auth Type Null' or no authentication.

 

OSPF03.png

 

  1. Configure the MD5 Key ID on port3, and Palo Alto needs to do the same with the matching Key ID.

 

Related article: 

Technical Tip: How to configure OSPF MD5 authentication

 

45
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.