This article describes why multiple OSPF neighbors in FortiGate get stuck in a 2-way state and offers a solution.

See one of the following articles if an OSPF neighbor is stuck in one of the other states:

Troubleshooting Tip: OSPF – Neighbor stuck at loading.

Troubleshooting Tip: OSPF neighbour stuck in EXTSTART/EXCHANGE state.

Troubleshooting Tip: OSPF Neighbor stuck in INIT state.

In a broadcast domain, an OSPF router will establish a FULL adjacency only with DR and BDR.

In the process of forming an OSPF adjacency,
After the master/slave relationship is negotiated, the neighboring routers/firewalls will transition into Exchange state. In the Exchange state, OSPF neighbors will exchange DBD packets which contain their entire link-state database.

If there is one neighbor stuck in the Exstart/Exchange state, MTU size is most likely the cause. Ensure that the MTU size is the same on both sides of the link or enable 'mtu-ignore' on the OSPF interface. Restart OSPF neighborship for this change to take effect.

execute router clear ospf process.

config router ospf

set router-id 192.168.1.1

config area

edit 0.0.0.0

next

end

config ospf-interface

edit "port3"

set interface "port3"
set mtu-ignore enable

next

end

If it is noticed that OSPF neighborship to DR and BDR routers is stuck in a 2-way state on the FortiGate after a change such as a firewall upgrade/reboot, find out the number of OSPF neighbors which are stuck in the Exstart/Exchange state. 

get router info ospf neighbor

FortiGate has a system limit of 5 neighbors in an Exstart state that it can serve at a time (inbound DD = 5, outbound DD = 5). Currently, this limit is not configurable and is implemented to preserve the system resources.

get router info ospf status
Routing Process "ospf 0" with ID 192.168.1.1
Process uptime is 6 hours 58 minutes
Process bound to VRF default
Conforms to RFC2328, and RFC1583Compatibility flag is disabled
Supports only single TOS(TOS0) routes
Supports opaque LSA
Do not support Restarting
This router is an ABR, ABR Type is Standard (RFC2328)
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Refresh timer 10 secs
Number of incoming current DD exchange neighbors 5/5 
Number of outgoing current DD exchange neighbors 5/5 
Number of external LSA 681. Checksum 0x15C3EBB
Number of opaque AS LSA 0. Checksum 0x000000
Number of non-default external LSA 678
External LSA database is unlimited.
Number of LSA originated 1191
Number of LSA received 19583
Number of areas attached to this router: 2

If there are 5 such neighbors in the Exstart/Exchange state, FortiGate will not respond with DBD packets to other OSPF neighbors that completed the 2-way and the Exstart state. 

The following log messages can be seen in the OSPF debugs.

diagnose ip router ospf all enable
Debug messages will be on for 30 minutes.

diagnose ip router ospf level info
Debug messages will be on for 30 minutes.

diagnose debug console timestamp enable

diagnose debug enable

2022-04-12 18:32:38 OSPF: NFSM[port13:172.31.5.5-192.168.187.36]: DD Retransmit timer expire
2022-04-12 18:32:38 OSPF: NFSM[port13:172.31.5.5-192.168.187.38]: DD Retransmit timer expire

Until those 5 Exstart/Exchange state neighbors transition into Full state, any new OSPF neighbors will be stuck in a 2-way state.

In order to establish new OSPF adjacencies on FortiGate, fix or disable the existing OSPF neighbors which are stuck in the Exstart/Exchange state by making appropriate changes to the configuration.

To clear the OSPF process, execute the following command so the OSPF neighborship will re-establish:

IPv4:

execute router clear ospf process

IPv6:

execute router clear ospf6 process

Note that once the OSPF process is cleared, all neighbors will be re-established and routes also will be cleared via OSPF and reinstalled into the routing table.