I've set up OSPF on a couple of FortiGate-VM64-HV where everything seem to be working fine.
Routes show up in routing table and neighborhood comes up as normal.
output are somewhat sanitized.
Neighbor ID Pri State Dead Time Address Interface
10.10.48.1 255 Full/DR 00:00:32 10.10.48.1 port1
192.168.2.1 1 Full/DROther 00:00:33 10.10.48.3 port1
Problem I get a log of log messages saying:
OSPF: RECV[Hello]: duplicate router-id 192.168.3.1 detected on port2:192.168.3.1
When debugging it seems like the vFirewall reacts to the hello packet it sent itself.
Unit captured from WAN IP 10.10.48.5
LAN IP 192.168.3.1
Router ID 192.168.3.1
OSPF: SEND[Hello]: To 224.0.0.5 via port1:10.10.48.5, length 52
OSPF: -----------------------------------------------------
OSPF: Header
OSPF: Version 2
OSPF: Type 1 (Hello)
OSPF: Packet Len 52
OSPF: Router ID 192.168.3.1
OSPF: Area ID 0.0.0.0
OSPF: AuType 1
OSPF: Simple Password xxx
OSPF: Hello
OSPF: NetworkMask 255.255.255.192
OSPF: HelloInterval 10
OSPF: RtrPriority 1
OSPF: RtrDeadInterval 40
OSPF: DRouter 10.10.48.1
OSPF: BDRouter 10.10.48.5
OSPF: # Neighbors 2
OSPF: Neighbor 10.10.48.1
OSPF: Neighbor 192.168.2.1
OSPF: -----------------------------------------------------
OSPF: RECV[Hello]: From 192.168.3.1 via port1:10.10.48.5 (10.10.48.5 -> 224.0.0.5)
OSPF: -----------------------------------------------------
OSPF: Header
OSPF: Version 2
OSPF: Type 1 (Hello)
OSPF: Packet Len 52
OSPF: Router ID 192.168.3.1
OSPF: Area ID 0.0.0.0
OSPF: AuType 1
OSPF: Simple Password xxx
OSPF: Hello
OSPF: NetworkMask 255.255.255.192
OSPF: HelloInterval 10
OSPF: RtrPriority 1
OSPF: RtrDeadInterval 40
OSPF: DRouter 10.10.48.1
OSPF: BDRouter 10.10.48.5
OSPF: # Neighbors 2
OSPF: Neighbor 10.10.48.1
OSPF: Neighbor 192.168.2.1
OSPF: -----------------------------------------------------
OSPF: RECV[Hello]: duplicate router-id 192.168.3.1 detected on port1:10.10.48.5
I do not seem the have the same behavior on a physical unit.
A bug, or something misconfigured?
Have tried changing router-id, as well as rebooted the firewalls.
As said everything works, but log gets spammed unnecessarily.
firmware version 7.2.6 build 1575
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @Qwiri,
Is FortiGate in HA mode? Can you make sure there is no loop in your network? Please run packet sniffer command below:
diagnose sniffer packet any "proto 89" 4 0 l
Regards,
The virtual ones that have this behavior are single units.
I'll do a capture later tonight. Almost sure the prior capture didn't show from itself came into the wan interface.
Here is a snippet from one of the vFirewalls.
The firewall have three ports,
Port1 10.10.48.5
Port2 192.168.3.1
Port3 10.11.166.1
diagnose sniffer packet any 'proto 89' 4 100 l
Using Original Sniffing Mode
interfaces=[any]
filters=[proto 89]
2024-02-03 11:35:10.901658 port1 out 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:14.846635 port1 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:14.846654 port1 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:15.927834 port3 out 10.11.166.1 -> 224.0.0.5: ip-proto-89 44
2024-02-03 11:35:15.928157 port3 in 10.11.166.1 -> 224.0.0.5: ip-proto-89 44
2024-02-03 11:35:17.368522 port1 in 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:17.368544 port1 in 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:18.199540 port2 out 192.168.3.1 -> 224.0.0.5: ip-proto-89 44
2024-02-03 11:35:20.821643 port1 out 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:24.446464 port1 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:24.446486 port1 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:26.417701 port3 out 10.11.166.1 -> 224.0.0.5: ip-proto-89 44
2024-02-03 11:35:26.417861 port3 in 10.11.166.1 -> 224.0.0.5: ip-proto-89 44
2024-02-03 11:35:27.358099 port1 in 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:27.358125 port1 in 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:28.238853 port2 out 192.168.3.1 -> 224.0.0.5: ip-proto-89 44
2024-02-03 11:35:31.301644 port1 out 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:31.302276 port1 in 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:34.015240 port1 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:34.015264 port1 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:35.995484 port3 out 10.11.166.1 -> 224.0.0.5: ip-proto-89 44
2024-02-03 11:35:37.837345 port1 in 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:37.837370 port1 in 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:38.718346 port2 out 192.168.3.1 -> 224.0.0.5: ip-proto-89 44
2024-02-03 11:35:38.718541 port2 in 192.168.3.1 -> 224.0.0.5: ip-proto-89 44
2024-02-03 11:35:41.351275 port1 out 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:41.351615 port1 in 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:43.814416 port1 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:43.814434 port1 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
I can see some strange packets like this one,
2024-02-03 11:35:31.301644 port1 out 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:31.302276 port1 in 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
Do not see other signs of loop as we se no degradation in the network. Also
A packet capture from the Physical unit do not seem to have the same problem. that is to say
I see no duplicates.
Fortigate_PRI (VDOM-A) # diagnose sniffer packet any "proto 89" 4 100 l
interfaces=[any]
filters=[proto 89]
2024-02-04 12:45:18.485928 V-2795 in 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:21.058566 V-2795 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:21.058567 VLAG out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:21.058569 port40 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:21.809687 V-2795 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:24.131444 V-3000 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:45:24.131445 VLAG out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:45:24.131447 port39 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:45:28.493162 V-2795 in 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:31.466194 V-2795 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:31.466196 VLAG out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:31.466198 port40 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:32.287877 V-2795 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:34.299998 V-3000 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:45:34.300000 VLAG out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:45:34.300002 port39 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:45:38.344360 V-2795 in 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:41.217335 V-2795 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:41.217336 VLAG out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:41.217338 port40 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:42.749746 V-2795 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:44.390726 V-3000 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:45:44.390727 VLAG out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:45:44.390729 port39 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:45:48.403432 V-2795 in 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:51.006090 V-2795 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:51.006092 VLAG out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:51.006093 port40 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:53.029471 V-2795 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:54.130664 V-3000 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:45:54.130665 VLAG out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:45:54.130667 port39 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:45:58.653243 V-2795 in 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:01.135790 V-2795 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:01.135792 VLAG out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:01.135794 port40 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:03.428595 V-2795 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:04.419662 V-3000 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:46:04.419663 VLAG out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:46:04.419665 port39 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:46:08.482682 V-2795 in 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:11.485748 V-2795 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:11.485750 VLAG out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:11.485752 port40 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:13.737952 V-2795 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:14.388709 V-3000 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:46:14.388711 VLAG out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:46:14.388712 port39 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:46:18.582529 V-2795 in 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:21.845851 V-2795 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:21.845853 VLAG out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:21.845855 port40 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:23.347416 V-2795 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:23.888057 V-3000 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
A quick test with the VM-ware version did not show the same problem.
I'll se if I can set it up in Hyper-V in my labb.
I have taken a look in Wireshark at a capture and it seems like something can be funky with the Hyper-V virtual switch.
From vFW 1:
No. | Time | Source | Destination | Protocol | Length | Source | Identification |
9 | 15.997059 | 10.10.48.5 | 224.0.0.5 | OSPF | 86 | 00:xx:xx:xx:xx:xx | 0xfa8a (64138) |
10 | 15.997083 | 10.10.48.5 | 224.0.0.5 | OSPF | 86 | 00:xx:xx:xx:xx:xx | 0xfa8a (64138) |
11 | 19.859836 | 10.10.48.3 | 224.0.0.5 | OSPF | 86 | 00:yy:yy:yy:yy:yy | 0xed1c (60700) |
12 | 19.860024 | 10.10.48.3 | 224.0.0.5 | OSPF | 86 | zz:zz:zz:zz:zz:zz | 0xed1c (60700) |
Source here shows No. 11 as Microsoft and 12 as Mellanox, that is the physical NIC for the host.
No. 9 and 10 are show as Microsoft and is another host where the vm is located.
From vFW 2 (not same timeframe):
No. | Time | Source | Destination | Protocol | Length | Identification | Source |
13 | 19.991017 | 10.10.48.5 | 224.0.0.5 | OSPF | 89 | 0x52d9 (21209) | xx:xx:xx:xx:xx:xx |
14 | 19.991289 | 10.10.48.5 | 224.0.0.5 | OSPF | 89 | 0x52d9 (21209) | yy:yy:yy:yy:yy:yy |
15 | 25.987885 | 10.10.48.3 | 224.0.0.5 | OSPF | 89 | 0x44a3 (17571) | zz:zz:zz:zz:zz:zz |
16 | 25.987910 | 10.10.48.3 | 224.0.0.5 | OSPF | 89 | 0x44a3 (17571) | zz:zz:zz:zz:zz:zz |
Same here, I see double entries with the same identification.
No.13 and 14 are the vFirewall I got the capture from, showing same identity on two different MAC:s, one Microsoft, and one with no name identifier.
In the first table this match No. 9 and 10, but have changed from showing same MAC as source, to two different MAC (even with same identifyer)
N15 and 16 are from same vFirewall as No.10 and 12 in the table above.
Here the source have changed from being two different MAC:s, to show the same MAC.
I also see the same doubles for the main Fortigate (physical).
I'm not sure this would be due to a loop as there is always only two of on packet, and always shortly after the first.
Also source changes depending on the capture point. Two different source when getting packet originating from firewall where capture are taken, and same source when it's from another host.
I can also not see these double packets on the physical Fortigate. Here it is different identifyer per hello as it should be. What I can see is one hello from the Microsoft MAC, and one hello from the host MAC (Mellanox or the one where manufacturer isn't named)
I hope I haven't misunderstood the identity field in a packet and that is shows on duplicate packets.
All of this is in at L2 level.
Don't have a design at hand, but can make one at work later.
Also going to ask the Hyper-V guys tomorrow if they have any ideas.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.