- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiADC
- FortiAnalyzer
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- OSPF hello message received on outgoing interface
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OSPF hello message received on outgoing interface
I've set up OSPF on a couple of FortiGate-VM64-HV where everything seem to be working fine.
Routes show up in routing table and neighborhood comes up as normal.
output are somewhat sanitized.
Neighbor ID Pri State Dead Time Address Interface
10.10.48.1 255 Full/DR 00:00:32 10.10.48.1 port1
192.168.2.1 1 Full/DROther 00:00:33 10.10.48.3 port1
Problem I get a log of log messages saying:
OSPF: RECV[Hello]: duplicate router-id 192.168.3.1 detected on port2:192.168.3.1
When debugging it seems like the vFirewall reacts to the hello packet it sent itself.
Unit captured from WAN IP 10.10.48.5
LAN IP 192.168.3.1
Router ID 192.168.3.1
OSPF: SEND[Hello]: To 224.0.0.5 via port1:10.10.48.5, length 52
OSPF: -----------------------------------------------------
OSPF: Header
OSPF: Version 2
OSPF: Type 1 (Hello)
OSPF: Packet Len 52
OSPF: Router ID 192.168.3.1
OSPF: Area ID 0.0.0.0
OSPF: AuType 1
OSPF: Simple Password xxx
OSPF: Hello
OSPF: NetworkMask 255.255.255.192
OSPF: HelloInterval 10
OSPF: RtrPriority 1
OSPF: RtrDeadInterval 40
OSPF: DRouter 10.10.48.1
OSPF: BDRouter 10.10.48.5
OSPF: # Neighbors 2
OSPF: Neighbor 10.10.48.1
OSPF: Neighbor 192.168.2.1
OSPF: -----------------------------------------------------
OSPF: RECV[Hello]: From 192.168.3.1 via port1:10.10.48.5 (10.10.48.5 -> 224.0.0.5)
OSPF: -----------------------------------------------------
OSPF: Header
OSPF: Version 2
OSPF: Type 1 (Hello)
OSPF: Packet Len 52
OSPF: Router ID 192.168.3.1
OSPF: Area ID 0.0.0.0
OSPF: AuType 1
OSPF: Simple Password xxx
OSPF: Hello
OSPF: NetworkMask 255.255.255.192
OSPF: HelloInterval 10
OSPF: RtrPriority 1
OSPF: RtrDeadInterval 40
OSPF: DRouter 10.10.48.1
OSPF: BDRouter 10.10.48.5
OSPF: # Neighbors 2
OSPF: Neighbor 10.10.48.1
OSPF: Neighbor 192.168.2.1
OSPF: -----------------------------------------------------
OSPF: RECV[Hello]: duplicate router-id 192.168.3.1 detected on port1:10.10.48.5
I do not seem the have the same behavior on a physical unit.
A bug, or something misconfigured?
Have tried changing router-id, as well as rebooted the firewalls.
As said everything works, but log gets spammed unnecessarily.
firmware version 7.2.6 build 1575
Labels:
- Labels:
-
FortiGate
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Qwiri,
Is FortiGate in HA mode? Can you make sure there is no loop in your network? Please run packet sniffer command below:
diagnose sniffer packet any "proto 89" 4 0 l
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The virtual ones that have this behavior are single units.
I'll do a capture later tonight. Almost sure the prior capture didn't show from itself came into the wan interface.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is a snippet from one of the vFirewalls.
The firewall have three ports,
Port1 10.10.48.5
Port2 192.168.3.1
Port3 10.11.166.1
diagnose sniffer packet any 'proto 89' 4 100 l
Using Original Sniffing Mode
interfaces=[any]
filters=[proto 89]
2024-02-03 11:35:10.901658 port1 out 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:14.846635 port1 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:14.846654 port1 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:15.927834 port3 out 10.11.166.1 -> 224.0.0.5: ip-proto-89 44
2024-02-03 11:35:15.928157 port3 in 10.11.166.1 -> 224.0.0.5: ip-proto-89 44
2024-02-03 11:35:17.368522 port1 in 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:17.368544 port1 in 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:18.199540 port2 out 192.168.3.1 -> 224.0.0.5: ip-proto-89 44
2024-02-03 11:35:20.821643 port1 out 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:24.446464 port1 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:24.446486 port1 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:26.417701 port3 out 10.11.166.1 -> 224.0.0.5: ip-proto-89 44
2024-02-03 11:35:26.417861 port3 in 10.11.166.1 -> 224.0.0.5: ip-proto-89 44
2024-02-03 11:35:27.358099 port1 in 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:27.358125 port1 in 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:28.238853 port2 out 192.168.3.1 -> 224.0.0.5: ip-proto-89 44
2024-02-03 11:35:31.301644 port1 out 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:31.302276 port1 in 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:34.015240 port1 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:34.015264 port1 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:35.995484 port3 out 10.11.166.1 -> 224.0.0.5: ip-proto-89 44
2024-02-03 11:35:37.837345 port1 in 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:37.837370 port1 in 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:38.718346 port2 out 192.168.3.1 -> 224.0.0.5: ip-proto-89 44
2024-02-03 11:35:38.718541 port2 in 192.168.3.1 -> 224.0.0.5: ip-proto-89 44
2024-02-03 11:35:41.351275 port1 out 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:41.351615 port1 in 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:43.814416 port1 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:43.814434 port1 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
I can see some strange packets like this one,
2024-02-03 11:35:31.301644 port1 out 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-03 11:35:31.302276 port1 in 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
Do not see other signs of loop as we se no degradation in the network. Also
A packet capture from the Physical unit do not seem to have the same problem. that is to say
I see no duplicates.
Fortigate_PRI (VDOM-A) # diagnose sniffer packet any "proto 89" 4 100 l
interfaces=[any]
filters=[proto 89]
2024-02-04 12:45:18.485928 V-2795 in 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:21.058566 V-2795 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:21.058567 VLAG out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:21.058569 port40 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:21.809687 V-2795 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:24.131444 V-3000 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:45:24.131445 VLAG out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:45:24.131447 port39 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:45:28.493162 V-2795 in 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:31.466194 V-2795 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:31.466196 VLAG out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:31.466198 port40 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:32.287877 V-2795 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:34.299998 V-3000 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:45:34.300000 VLAG out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:45:34.300002 port39 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:45:38.344360 V-2795 in 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:41.217335 V-2795 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:41.217336 VLAG out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:41.217338 port40 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:42.749746 V-2795 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:44.390726 V-3000 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:45:44.390727 VLAG out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:45:44.390729 port39 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:45:48.403432 V-2795 in 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:51.006090 V-2795 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:51.006092 VLAG out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:51.006093 port40 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:53.029471 V-2795 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:45:54.130664 V-3000 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:45:54.130665 VLAG out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:45:54.130667 port39 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:45:58.653243 V-2795 in 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:01.135790 V-2795 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:01.135792 VLAG out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:01.135794 port40 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:03.428595 V-2795 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:04.419662 V-3000 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:46:04.419663 VLAG out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:46:04.419665 port39 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:46:08.482682 V-2795 in 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:11.485748 V-2795 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:11.485750 VLAG out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:11.485752 port40 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:13.737952 V-2795 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:14.388709 V-3000 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:46:14.388711 VLAG out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:46:14.388712 port39 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
2024-02-04 12:46:18.582529 V-2795 in 10.10.48.5 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:21.845851 V-2795 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:21.845853 VLAG out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:21.845855 port40 out 10.10.48.1 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:23.347416 V-2795 in 10.10.48.3 -> 224.0.0.5: ip-proto-89 52
2024-02-04 12:46:23.888057 V-3000 out 192.168.0.1 -> 224.0.0.5: ip-proto-89 44
A quick test with the VM-ware version did not show the same problem.
I'll se if I can set it up in Hyper-V in my labb.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have taken a look in Wireshark at a capture and it seems like something can be funky with the Hyper-V virtual switch.
From vFW 1:
| No. | Time | Source | Destination | Protocol | Length | Source | Identification |
9 | 15.997059 | 10.10.48.5 | 224.0.0.5 | OSPF | 86 | 00:xx:xx:xx:xx:xx | 0xfa8a (64138) |
| 10 | 15.997083 | 10.10.48.5 | 224.0.0.5 | OSPF | 86 | 00:xx:xx:xx:xx:xx | 0xfa8a (64138) |
| 11 | 19.859836 | 10.10.48.3 | 224.0.0.5 | OSPF | 86 | 00:yy:yy:yy:yy:yy | 0xed1c (60700) |
| 12 | 19.860024 | 10.10.48.3 | 224.0.0.5 | OSPF | 86 | zz:zz:zz:zz:zz:zz | 0xed1c (60700) |
Source here shows No. 11 as Microsoft and 12 as Mellanox, that is the physical NIC for the host.
No. 9 and 10 are show as Microsoft and is another host where the vm is located.
From vFW 2 (not same timeframe):
| No. | Time | Source | Destination | Protocol | Length | Identification | Source |
| 13 | 19.991017 | 10.10.48.5 | 224.0.0.5 | OSPF | 89 | 0x52d9 (21209) | xx:xx:xx:xx:xx:xx |
| 14 | 19.991289 | 10.10.48.5 | 224.0.0.5 | OSPF | 89 | 0x52d9 (21209) | yy:yy:yy:yy:yy:yy |
| 15 | 25.987885 | 10.10.48.3 | 224.0.0.5 | OSPF | 89 | 0x44a3 (17571) | zz:zz:zz:zz:zz:zz |
| 16 | 25.987910 | 10.10.48.3 | 224.0.0.5 | OSPF | 89 | 0x44a3 (17571) | zz:zz:zz:zz:zz:zz |
Same here, I see double entries with the same identification.
No.13 and 14 are the vFirewall I got the capture from, showing same identity on two different MAC:s, one Microsoft, and one with no name identifier.
In the first table this match No. 9 and 10, but have changed from showing same MAC as source, to two different MAC (even with same identifyer)
N15 and 16 are from same vFirewall as No.10 and 12 in the table above.
Here the source have changed from being two different MAC:s, to show the same MAC.
I also see the same doubles for the main Fortigate (physical).
I'm not sure this would be due to a loop as there is always only two of on packet, and always shortly after the first.
Also source changes depending on the capture point. Two different source when getting packet originating from firewall where capture are taken, and same source when it's from another host.
I can also not see these double packets on the physical Fortigate. Here it is different identifyer per hello as it should be. What I can see is one hello from the Microsoft MAC, and one hello from the host MAC (Mellanox or the one where manufacturer isn't named)
I hope I haven't misunderstood the identity field in a packet and that is shows on duplicate packets.
All of this is in at L2 level.
Don't have a design at hand, but can make one at work later.
Also going to ask the Hyper-V guys tomorrow if they have any ideas.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- tracert not display the correct hop 57 Views
- FortiGate SDWAN rule failover 147 Views
- why the outgoing interface is not... 157 Views
- What is outgoing manual failover criteria? 120 Views
- Fortigate Firewall BGP received routes not... 355 Views
Labels
-
FortiGate
7,098 -
FortiClient
1,399 -
5.2
801 -
5.4
639 -
FortiManager
615 -
FortiAnalyzer
449 -
6.0
416 -
FortiAP
373 -
FortiSwitch
368 -
5.6
362 -
FortiClient EMS
287 -
FortiMail
276 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
6.4
128 -
FortiNAC
124 -
FortiGuard
115 -
IPsec
106 -
SSL-VPN
100 -
FortiGateCloud
95 -
FortiSIEM
92 -
FortiCloud Products
88 -
FortiToken
76 -
Customer Service
71 -
Wireless Controller
64 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
47 -
FortiADC
45 -
Fortivoice
44 -
FortiEDR
43 -
FortiDNS
38 -
FortiExtender
36 -
FortiGate v5.4
35 -
FortiAuthenticator
34 -
FortiSandbox
33 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
22 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
FortiPortal
18 -
FortiSwitch v6.2
17 -
LDAP
17 -
Interface
17 -
VDOM
17 -
Routing
15 -
FortiMonitor
14 -
Authentication
14 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
Logging
14 -
FortiDDoS
13 -
RADIUS
12 -
FortiCASB
12 -
NAT
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSL SSH inspection
10 -
SSO
10 -
Application control
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web application firewall profile
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
FortiAP profile
6 -
OSPF
6 -
Static route
6 -
IPS signature
5 -
Packet capture
5 -
FortiPAM
5 -
Automation
5 -
trunk
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
Port policy
4 -
Antivirus profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
3.6
4 -
FortiScan
4 -
Web rating
4 -
Intrusion prevention
4 -
FortiDeceptor
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
DLP sensor
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
Netflow
2 -
FortiInsight
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
DLP Dictionary
2 -
VoIP profile
2 -
DLP profile
2 -
Fabric connector
2 -
Multicast policy
1 -
4.0MR1
1 -
Zone
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Explicit proxy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1054 | |
| 870 | |
| 521 | |
| 441 | |
| 146 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.