Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jiahoong112
Staff
Staff

Created on ‎04-10-2023 09:51 PM Edited on ‎09-22-2025 07:43 AM By Moderator

Article Id 251817

Troubleshooting Tip: Unable to see OSPF Neighbor: No 'Hello' Packets

Description This article describes how to troubleshoot no Hello packets seen on FortiGate to establish OSPF neighborship. 
Scope FortiGate.
Solution

Topology: FortiGate-A --direct connection--> FortiGate-B.

 

FortiGate-A:

port1 IP: 10.56.241.52/22.

port3 IP: 10.191.1.52/20.

 

FortiGate-B:

port1 IP: 10.56.241.56/22.

port3 IP: 10.193.1.56/20.

 

  1. OSPF packet capture does not show any output, no Hello packets.

 

diagnose sniffer packet any 'proto 89' 6 0 a

diagnose sniffer packet any “ host 224.0.0.5” 6 0 l

 

  1. OSPF debugs do not show anything relevant, with no errors. The sequence of commands is used to configure and enable debugging for OSPF on a Fortinet device.

 

diagnose debug disable
diagnose debug reset

diagnose debug console timestamp enable
diagnose ip router ospf all enable
diagnose ip router ospf level info
diagnose debug enable

 

Disable and Reset Debugging:

 

diagnose debug disable <-- Disables any currently active debugging.

diagnose debug reset <-- Resets the debug settings to clear any previous configurations.

 

Enable Console Timestamps:

 

diagnose debug console timestamp enable <-- Adds timestamps to the debug output, which helps in correlating events with specific times.

 

Enable OSPF Debugging:

 

diagnose ip router ospf all enable <-- Enables debugging for all OSPF processes.

diagnose ip router ospf level info <-- Sets the debug level to 'info' to capture informational messages about OSPF operations.

 

Activate Debugging:

 

diagnose debug enable <-- Activates the debug settings, starting the logging of OSPF operations to the console.

 

Note: Also, verify the OSPFD process is not stuck by using the command below:

 

diagnose sys top 2 20 --> Check OSPFD process and verify process is not consuming high memory or is in a stuck state.

 

  1. OSPF Neighborship information:

 

ospfnoneigh.png

 

  1. OSPF configuration:

 

showospf.png

 

showospf.png

 

As seen here, port3 is connected between the 2 FortiGates. However, port3 on both of these FortiGates does not share the same subnet and mask.

 

  1. To form OSPF adjacency, the following criteria must be met:
  • OSPF Version: Must run the same OSPF version between the peers.
  • IP addresses of peers must be in the same subnet with the same mask.
  • Interfaces of peers are the same type and in the same OSPF area.
  • Hello, and dead intervals of peers match.
  • Each peer has a unique router ID.
  • MTU of both sides must match, or MTU-ignore must be configured.
  • Successful OSPF authentication, if enabled (authentication type and keys must match).
  • Check the OSPF network type configuration on both ends. A mismatch in network types, such as Broadcast vs. Point-to-Point, can prevent neighbors from discovering each other.

 

  1. To resolve this issue, it is necessary to advertise the correct prefixes to the neighbor. In this case, it is necessary to meet the criteria of 'IP addresses of peers must be in the same subnet with the same mask'.

So, aside from advertising the LAN prefixes that are not of the same subnet/mask (10.191.1.52/20 and 10.193.1.56/20) through OSPF, it will also be necessary to advertise another IP that is of a common subnet/mask between both firewalls, which are (10.56.241.52/22 and 10.56.241.56/22).

 

pref.png

 

In conclusion, both firewalls must advertise a common subnet/mask shared amongst them.

 

Result:

 

ospfneighiwq.png

 

ospfwiresahrk.png
Note:

For OSPF over IPsec, it is possible to configure a common prefix using the IPsec Interface subnet.

The Router ID should be a 32-bit number that uniquely identifies a participating router with a routing domain or Autonomous System. A Router ID of 0.0.0.0 is not allowed, as this value is used during the designated router and BDR elections.

 

General troubleshooting commands for OSPF: 

get router info ospf neighbor

get router info ospf interface

get router info ospf database brief

get router info ospf database self-originate

get router info ospf database router lsa

 

get router info ospf neighbor <-- Displays information about OSPF neighbors. This includes details such as neighbor ID, state, and the interface through which the neighbor is reachable.

 

get router info ospf interface <-- Displays information about OSPF interfaces. If no specific interface is mentioned, it returns information about all OSPF interfaces, including their status and configuration.

 

get router info ospf database brief <-- Provides a brief overview of the OSPF database. This includes a summary of the different types of LSAs (Link-State Advertisements) present in the database.

 

get router info ospf database self-originate <-- Displays information about LSAs that are originated by the local router. This helps in understanding what routing information the local router is advertising to its OSPF neighbors.

 

get router info ospf database router lsa <-- Retrieves detailed information about the router LSAs in the OSPF database. Router LSAs describe the state and cost of the router's links to the OSPF area.

 

Related articles

Technical Tip: Integrating a FortiGate into an OSPF environment

Technical Tip: Understanding OSPF States

Technical Tip: How to troubleshoot OSPF neighborship in various states
12529
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.