Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
beaven67
New Contributor

Created on ‎06-30-2016 11:13 AM

OSPF Passive interface feature and a Bug!

I have recently setup several fortigate 90D's and a few 200D's with OSPF. The are all connected via a VPLS solution.

the OSPF interface is wan1. The internal network is a port 3 or internal (a named interface) they also have a separate interface on them ie: WAN2. I setup OSPF on the VPLS side for all of them then a single OSPF interface. I then advertise the separate network connected to each site on the internal side. I don't have the  internal interface setup with OSPF. It all worked fine. I noticed that if i setup a router in one of the networks behind the firewall (on the internal side) with OSPF it creates an OSPF adjacency! This should not happen! This interface is not configured for OSPF! I then tried to set the passive-interface option in OSPF and it only lets you have one passive interface? I'm running 5.2.7 on these firewalls. I should be able to make more than one interface passive for ospf!

Any ideas?

Thanks,

 

5322
0 Kudos
2 REPLIES 2
emnoc
Esteemed Contributor III

Created on ‎06-30-2016 11:39 AM

I doubt it's a bug,

 

but have you reviewed your cfg? Did you execute any diag sniffer packet <the suspect passive interface> " proto 89 "

Did you restart  ospf process after the changes?

 

e.g

 

execute router clear  ospf proc

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1752
0 Kudos
beaven67
New Contributor
In response to emnoc

Created on ‎06-30-2016 12:10 PM

Yes is did restart the firewall. I did find that you can just add all the interfaces to the passive-interface command and that will work just fine.  I believe the bug is that its advertising multicast packets out interfaces that are not configured for ospf! the networks included in the ospf command are for advertisements not for neighbor adjacencies.

The work around by adding all the interfaces via the passive-interface command is a not a correct solution for a secure network. The interface should not be taking any part of the ospf network process. I will submit this to TAC for further review.. 

Thanks,

1752
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.