Hi
I have 2 remote site router connected using vxlan over ipsec. I can ping, telnet and ssh between the routers. I want to do an ospf adjacency between them but even though they ping, the neighborship won't come up. When I debug ospf I see that ospf is sending hello packets on both routers but they don't receive any. I'm allowing all between the vxlan and vlan in the firewall policy. It's as if multicast traffic is being block.
And I want to know if is possible to get an adjacency between the routers using vxlan over ospf.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Create a multicast policy and allow the ospf address 224.0.0.5/224.0.0.6 depending on your network type.
Also link local multicast like an ospf hello has a TTL of 1. You may also need to set the fortigate to not decrement the TTL.
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/968606/multicast-processing-and-basic-mu...
Hi @aguerriero
Thanks for the info. That what I was missing. I created the policy and its working.
Hi @jm-barreto, welcome to the community.
Can you share with us the ospf configuration?
Also, please update us with the output of the get router info ospf neighbor command and of the ones from https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-check-OSPF-packets-flow-with-functi...
Hello,
I just want to add, vxlan is capable of carrying broadcast and multicast, that's its purpose. But depends how Vxlan over ipsec is configured, if you are using VTEPs, if you are using virtual-wire-pair or software switch and if you are trying establish ospf adjacency between FortiGates directly or between some devices in local networks.
Hi @akristof @aionescu
This is my lab
I want OSPF on the routers not on the fortigate.
Here is my configuration
HUB
config vpn ipsec phase1-interface
edit "MASTER"
set type dynamic
set interface "wan1"
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha256
set dpd on-idle
set psksecret XXXXX
set dpd-retryinterval 60
next
end
config vpn ipsec phase2-interface
edit "MASTER"
set phase1name "MASTER"
set proposal aes128-sha256
next
end
config system interface
edit "internal2"
set vdom "root"
set type physical
set alias "MAIN TRUNK TO SW G0/1"
set device-identification enable
set lldp-transmission enable
set snmp-index 10
next
edit "VLAN20"
set vdom "root"
set alias "20"
set device-identification enable
set role lan
set snmp-index 24
set interface "internal2"
set vlanid 20
next
edit "vxlan20"
set vdom "root"
set type vxlan
set snmp-index 19
set interface "MASTER"
next
config system switch-interface
edit "VXLAN20"
set vdom "root"
set member "VLAN20" "vxlan20"
next
end
config firewall policy
edit 2
set name "vpn"
set uuid 084eddfc-e92d-51ed-ba85-2fefd7d70152
set srcintf "MASTER"
set dstintf "MASTER"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
edit 3
set name "VXLAN20"
set uuid 5c77cd10-ea79-51ed-8532-f53e2788e47e
set srcintf "any"
set dstintf "any"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
---------------------------------------------------------------------------------------------------------------
SPOKE
config vpn ipsec phase1-interface
edit "VPN-REMOTE-1"
set interface "wan1"
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha256
set localid "REMOTE1"
set remote-gw x.x.x.x
set psksecret XXXX
next
end
config vpn ipsec phase2-interface
edit "VPN-REMOTE-1"
set phase1name "VPN-REMOTE-1"
set proposal aes128-sha256
set auto-negotiate enable
set src-subnet 192.168.255.2 255.255.255.255
next
end
config system interface
edit "internal2"
set vdom "root"
set type physical
set alias "REMOTE2 TO SW G0/1"
set snmp-index 10
next
end
config system interface
edit "VLAN20"
set vdom "root"
set alias "20"
set device-identification enable
set role lan
set snmp-index 17
set interface "internal2"
set vlanid 20
next
end
config system interface
edit "VPN-REMOTE-1"
set vdom "root"
set ip 192.168.255.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 192.168.255.1 255.255.255.0
set snmp-index 18
set interface "wan1"
next
end
config system interface
edit "vxlan20"
set vdom "root"
set type vxlan
set snmp-index 19
set interface "VPN-REMOTE-1"
next
end
config system switch-interface
edit "VXLAN20-SW"
set vdom "root"
set member "vxlan20" "VLAN20"
set intra-switch-policy explicit
next
end
config firewall policy
edit 3
set name "VXLAN20"
set uuid 2ec00ac8-ea78-51ed-9df2-b59fd250f581
set srcintf "any"
set dstintf "any"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
end
Hi, can you share the output of the following commands, ran on both FortiGates.
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug flow filter addr x.x.x.x <------------where x.x.x.x is the IP of an OSPF router
diagnose debug flow trace start 1000
diagnose debug enable
To disable the debug:
diagnose debug disable
diagnose debug reset
I use dynamic vpn for fast deployment of the remote site because sometime I don't have access to the remote IP information.
If you are unable to establish an OSPF adjacency between two remote site routers connected using VXLAN over IPsec, despite being able to ping, telnet, and SSH between them, it's possible that the issue is related to multicast traffic being blocked.
OSPF relies on multicast traffic for neighbor discovery and exchange of routing information. If multicast traffic is blocked, OSPF packets will not be received, which could prevent the OSPF adjacency from being established.
To resolve the issue, you may need to ensure that multicast traffic is allowed to pass between the routers over the VXLAN tunnel. This may involve checking firewall policies and ensuring that multicast routing is properly configured.
Additionally, you may want to verify that the OSPF settings on both routers are correctly configured, including the OSPF network type and interface settings. For example, if the OSPF network type is set to point-to-point, but the interface is actually configured as broadcast, this could prevent the OSPF adjacency from being established.
As for your question about establishing an adjacency between the routers using VXLAN over OSPF, it is possible to use OSPF over VXLAN, provided that the OSPF network type and interface settings are properly configured. However, keep in mind that VXLAN encapsulates layer 2 traffic over layer 3 networks, so the OSPF adjacency will need to be established over the VXLAN tunnel interface rather than the physical interface.
Check for MTU mismatch or MTU ignore. We had an issue like this between Fortinet and VMware NSX-T. Very little showed when debugged, but it ended working when we corrected MTU mismatch.
Create a multicast policy and allow the ospf address 224.0.0.5/224.0.0.6 depending on your network type.
Also link local multicast like an ospf hello has a TTL of 1. You may also need to set the fortigate to not decrement the TTL.
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/968606/multicast-processing-and-basic-mu...
Hi @aguerriero
Thanks for the info. That what I was missing. I created the policy and its working.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.