Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
KumarV
Staff
Staff

Created on ‎11-24-2024 06:07 AM Edited on ‎11-25-2024 04:14 AM By Moderator

Article Id 359486

Troubleshooting Tip: One-Way OSPF Packets over IPsec Tunnel

Description

This article explains the troubleshooting steps and solution of unidirectional OSPF packets observed which leads to OSPF neighborship stucks in Init state.
Scope FortiGate.
Solution

FortiGate1 (VPN1)============IPsec Tunnel ============(VPN2) FortiGate2.

 

Note: Before moving to OSPF troubleshooting, IPsec tunnel overlay IPs should be able to ping each other to check the connectivity. Once confirmed, then follow the steps mentioned in this document. 

 

The following sniffer output is taken from FortiGate1:

 

FortiGate1 # diagnose sniffer packet any 'proto 89' 4 0 l

interfaces=[any]

filters=[proto 89]

2024-11-12 13:13:22.235586 VPN1 out 10.17.250.3 -> 224.0.0.5:  ip-proto-89 44

2024-11-12 13:13:32.209862 VPN1 out 10.17.250.3 -> 224.0.0.5:  ip-proto-89 44

 

The following debug outputs are showing only one way Hello Packets:

 

OSPF: SEND[Hello]: To 224.0.0.5 via VPN1:10.17.250.3, length 44

OSPF: -----------------------------------------------------

OSPF: Header

OSPF:   Version 2

OSPF:   Type 1 (Hello)

OSPF:   Packet Len 44

OSPF:   Router ID 1.1.1.1

OSPF:   Area ID 0.0.0.0

OSPF:   Checksum 0x4f7f

OSPF:   AuType 0

OSPF: Hello

OSPF:   NetworkMask 255.255.255.255

OSPF:   HelloInterval 10

OSPF:   Options 0x2 (*|-|-|-|-|-|E|-)

OSPF:   RtrPriority 1

OSPF:   RtrDeadInterval 40

OSPF:   DRouter 0.0.0.0

OSPF:   BDRouter 0.0.0.0

OSPF:   # Neighbors 0

 

On FortiGate1, there is no neighborship observed under OSPF neighbor.

 

FortiGate1 # get router info ospf neighbor

OSPF process 0, VRF 0:

Neighbor ID     Pri   State           Dead Time   Address         Interface

 

 

The following sniffer output is taken from FortiGate2:

 

FortiGate2 # diagnose sniffer packet any 'proto 89' 4 0 l

interfaces=[any]

filters=[proto 89]

2024-11-12 12:59:33.641605 VPN2 out 10.17.250.44 -> 224.0.0.5:  ip-proto-89 48

2024-11-12 12:59:35.026084 VPN2 in 10.17.250.3 -> 224.0.0.5:  ip-proto-89 44

2024-11-12 12:59:43.310834 VPN2 out 10.17.250.44 -> 224.0.0.5:  ip-proto-89 48

2024-11-12 12:59:44.555717 VPN2 in 10.17.250.3 -> 224.0.0.5:  ip-proto-89 44

 

On FortiGate2, bidirectional traffic can be observed.

 

Furthermore, OSPF debugs are showing the SEND and RECV OSPF Hello Packets on FortiGate2 as shown below:

 

2024-11-12 13:02:23 OSPF: SEND[Hello]: To 224.0.0.5 via VPN2 :10.17.250.44, length 48

2024-11-12 13:02:23 OSPF: -----------------------------------------------------

2024-11-12 13:02:23 OSPF: Header

2024-11-12 13:02:23 OSPF:   Version 2

2024-11-12 13:02:23 OSPF:   Type 1 (Hello)

2024-11-12 13:02:23 OSPF:   Packet Len 48

2024-11-12 13:02:23 OSPF:   Router ID 2.2.2.2

2024-11-12 13:02:23 OSPF:   Area ID 0.0.0.0

2024-11-12 13:02:23 OSPF:   Checksum 0xa355

2024-11-12 13:02:23 OSPF:   AuType 0

2024-11-12 13:02:23 OSPF: Hello

2024-11-12 13:02:23 OSPF:   NetworkMask 255.255.255.255

2024-11-12 13:02:23 OSPF:   HelloInterval 10

2024-11-12 13:02:23 OSPF:   Options 0x2 (*|-|-|-|-|-|E|-)

2024-11-12 13:02:23 OSPF:   RtrPriority 1

2024-11-12 13:02:23 OSPF:   RtrDeadInterval 40

2024-11-12 13:02:23 OSPF:   DRouter 0.0.0.0

2024-11-12 13:02:23 OSPF:   BDRouter 0.0.0.0

2024-11-12 13:02:23 OSPF:   # Neighbors 1

2024-11-12 13:02:23 OSPF:     Neighbor 172.31.0.1

2024-11-12 13:02:23 OSPF: -----------------------------------------------------

2024-11-12 13:02:23 OSPF: RECV[Hello]: From 1.1.1.1 via VPN1 :10.17.250.44 (10.17.250.3 -> 224.0.0.5)

2024-11-12 13:02:23 OSPF: -----------------------------------------------------

2024-11-12 13:02:23 OSPF: Header

2024-11-12 13:02:23 OSPF:   Version 2

2024-11-12 13:02:23 OSPF:   Type 1 (Hello)

2024-11-12 13:02:23 OSPF:   Packet Len 44

2024-11-12 13:02:23 OSPF:   Router ID 1.1.1.1

2024-11-12 13:02:23 OSPF:   Area ID 0.0.0.0

2024-11-12 13:02:23 OSPF:   Checksum 0x4f7f

2024-11-12 13:02:23 OSPF:   AuType 0

2024-11-12 13:02:23 OSPF: Hello

2024-11-12 13:02:23 OSPF:   NetworkMask 255.255.255.255

2024-11-12 13:02:23 OSPF:   HelloInterval 10

2024-11-12 13:02:23 OSPF:   Options 0x2 (*|-|-|-|-|-|E|-)

2024-11-12 13:02:23 OSPF:   RtrPriority 1

2024-11-12 13:02:23 OSPF:   RtrDeadInterval 40

2024-11-12 13:02:23 OSPF:   DRouter 0.0.0.0

2024-11-12 13:02:23 OSPF:   BDRouter 0.0.0.0

2024-11-12 13:02:23 OSPF:   # Neighbors 0

 

FortiGate2 # get router info ospf neighbor

OSPF process 0, VRF 0:

Neighbor ID     Pri   State           Dead Time   Address         Interface

1.1.1.1         1     Init/ -         00:00:36    10.17.250.3     VPN2 (tun-id: 10.20.10.10)

 

NPU can be disabled on the tunnel on both sides to force the FortiGate to process the network traffic by CPU by running the following commands:

 

On FortiGate1:

 

config vpn ipsec phase1-interface

    edit VPN1

         set npu-offload disable

end

 

On FortiGate2:

 

config vpn ipsec phase1-interface

    edit VPN2

         set npu-offload disable

end

 

Related articles:

OSPF inactivity timer expire message in t... - Fortinet Community

Troubleshooting Tip: Unable to see OSPF Neighbor: No 'Hello' Packets

Technical Tip: How to troubleshoot OSPF neighborship in various states
134
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.