Hi All,
Hoping someone can help. We have setup a IPSec tunnel between our OnPrem FortiGate and Azure FortiVM.
We have configured each end of the transit tunnel with IP addresses in a /30 network:
Policy is in place so that ANY LAN traffic can get either way down the tunnel as required.
We have a couple of client/servers networks also going over this tunnel. Using static routes on both ends, we can reach each other; PING, SMB, RDP, SSH etc - great.
However, we want to advertise our OnPrem OSPF into Azure so we can get rid of the statics.
We added the VPN Interface into our existing OSPF Area 0.0.0.0. We have also configured the same items on the Azure side.
However, OSPF neighbors are not coming up correctly.
Our OnPrem Fortigate (Notice the Init status)
get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
10.1.15.202 1 Init/ - 00:00:40 10.1.15.202 OnPrem-Azure
Azure Fortigate shows no neighbors
get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
The next step I did was to look at the ospf interfaces to see what (if anything) is happening...
get router info ospf interface
I noticed 2 things:
So I used this command to set the MTU manually on the Azure device only as I've seen they have the match for OSPF to chat.
config router ospf
config ospf-interface edit "Azure-OnPrem"
set mtu 1422
next
end
The MTU now matches on both devices, but the OSPF status hasn't changed. Ideas anyone?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Please ignore MTU and see if this helps.
config router ospf
config ospf-interface
edit <name>
set mtu-ignore enable
next
end
end
If this doesn't help, please collect the following output on both devices.
diag debug enable
diag debug console timestamp enable
diag ip router ospf level info
diag ip router ospf all enable
Once debugs have been collected, please disable by;
diag debug disable
diag debug reset
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.