Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiMonkey
New Contributor

OSPF over VPN - neighbor issues. Ping is OK

Hi All,

Hoping someone can help.  We have setup a IPSec tunnel between our OnPrem FortiGate and Azure FortiVM.

We have configured each end of the transit tunnel with IP addresses in a /30 network:

  • 10.1.15.200/30 Network
  • 10.1.15.201/30 OnPrem VPN Interface
  • 10.1.15.202/30 Azure VPN Interface
  • 10.1.15.203/30 Broadcast

Policy is in place so that ANY LAN traffic can get either way down the tunnel as required.

We have a couple of client/servers networks also going over this tunnel.  Using static routes on both ends, we can reach each other; PING, SMB, RDP, SSH etc - great.

However, we want to advertise our OnPrem OSPF into Azure so we can get rid of the statics.

We added the VPN Interface into our existing OSPF Area 0.0.0.0.  We have also configured the same items on the Azure side.

 

However, OSPF neighbors are not coming up correctly.
Our OnPrem Fortigate (Notice the Init status)
get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
10.1.15.202 1 Init/ - 00:00:40 10.1.15.202 OnPrem-Azure

 

Azure Fortigate shows no neighbors
get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface

 

The next step I did was to look at the ospf interfaces to see what (if anything) is happening...

get router info ospf interface

I noticed 2 things:

  1. The OnPrem device stated MTU 1422 for the ospf interface and the Azure device was MTU 1420.
  2. The OnPrem device can both receive and send HELLO ospf packets.  The Azure device can only send Hello ospf packets.  It hasn't received a single one :(

 

So I used this command to set the MTU manually on the Azure device only as I've seen they have the match for OSPF to chat.
config router ospf
config ospf-interface edit "Azure-OnPrem"
set mtu 1422
next
end

 

The MTU now matches on both devices, but the OSPF status hasn't changed.  Ideas anyone?

1 REPLY 1
alif
Staff
Staff

Please ignore MTU and see if this helps.

 

config router ospf
    config ospf-interface
        edit <name>
            set mtu-ignore enable
        next
    end
end

 

If this doesn't help, please collect the following output on both devices.

diag debug enable
diag debug console timestamp enable
diag ip router ospf level info
diag ip router ospf all enable

 

Once debugs have been collected, please disable by;
diag debug disable
diag debug reset