Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jiahoong112
Staff
Staff

Created on ‎04-10-2023 09:51 PM Edited on ‎03-30-2025 11:13 PM By Community Manager

Article Id 251817

Troubleshooting Tip: Unable to see OSPF Neighbor: No 'Hello' Packets

Description This article describes how to troubleshoot no Hello packets seen on FortiGate to establish OSPF neighborship. 
Scope FortiGate.
Solution

Topology: Fortigate-A --direct connection--> Fortigate-B.

 

Fortigate-A:

port1 IP: 10.56.241.52/22

port3 IP: 10.191.1.52/20

Fortigate-B:

port1 IP: 10.56.241.56/22

port3 IP: 10.193.1.56/20

 

  1.  OSPF packet capture does not show any output, no Hello packets.

 

diag sniffer packet any 'proto 89' 6 0 a

 

  1.   OSPF debugs do not show anything relevant, with no errors:

 

diagnose debug disable
diagnose debug reset

diagnose debug console timestamp enable
diagnose ip router ospf all enable
diagnose ip router ospf level info
diagnose debug enable

 

  1.  OSPF Neighborship information:

 

ospfnoneigh.png

 

  1.  OSPF configuration:

 

showospf.png

 

showospf.png

 

As seen here, port3 is connected between the 2 FortiGates. However, port3 on both of these FortiGates do not share the same subnet and mask.

 

  1.  To form OSPF adjacency, the following criteria must be met:
  • OSPF Version: Must run the same OSPF version between the peers.
  • IP addresses of peers must be in the same subnet with the same mask.
  • Interfaces of peers are the same type and in the same OSPF area.
  • Hello and dead intervals of peers match.
  • Each peer has a unique router ID.
  •  MTU of both sides must match or MTU-ignore must be configured.
  •  Successful OSPF authentication, if enabled.(authentication type and keys must match)
  • Check the OSPF network type configuration on both ends. A mismatch in network types, such as Broadcast vs. Point-to-Point, can prevent neighbors from discovering each other.

 

  1. To resolve this issue, it is necessary to advertise the correct prefixes to the neighbor. In this case, it is necessary to meet the criteria of 'IP addresses of peers must be in the same subnet with the same mask'.

So aside from advertising the LAN prefixes that are not of the same subnet/mask (10.191.1.52/20 and 10.193.1.56/20) through OSPF, it will also be necessary to advertise another IP that is of common subnet/mask between both firewalls which are (10.56.241.52/22 and 10.56.241.56/22).

 

pref.png

 

In conclusion, both firewalls must advertise a common subnet/mask shared amongst them.

 

Result:

 

ospfneighiwq.png

 

ospfwiresahrk.png
Note:

For OSPF over IPsec, it is possible to configure a common prefix using the IPsec Interface subnet.

The Router ID should be a 32-bit number that uniquely identifies a participating router with a routing domain or Autonomous System. A Router ID of 0.0.0.0 is not allowed as this value is used during the designated router and BDR elections.

 

Related article

Technical-Tip-Integrating-a-FortiGate-into-an-OSPF-environment
12266
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.