Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff

Created on ‎01-31-2022 10:22 AM Edited on ‎11-06-2024 10:55 PM By Moderator

Article Id 204002

Troubleshooting Tip: OSPF neighbor stuck in INIT state

Description

This article explains how to resolve an OSPF neighbor issue where the OSPF is stuck in the INIT state.

 

ppatel_0-1643649821684.png
Scope

FortiGate v6.2.
FortiGate v6.4.
FortiGate v7.0.
FortiGate v7.2.
FortiGate v7.4.

FortiGate v7.6.
Solution

See one of the following articles if an OSPF neighbor is stuck in one of the other states:

 

OSPF uses multicast IP 224.0.0.5 to send HELLO to its neighbor(s).

Sometimes, the multicast packets can get dropped between the source and destination. When this happens, the other side will not receive the HELLO packets and will therefore be unable to pass the INIT state.

For clarity, these are the states OSPF routers pass through to form neighbors:

 

  • Down State.
  • Attempt State.
  • INIT State.
  • 2-Way State.
  • Exstart State.
  • Exchange State.
  • Loading State.
  • Full State (OSPF became fully operational).

 

Until the neighbors are in FULL State, the network will not function.

 

Neighbor routers get stuck in an INIT state when an OSPF router fails to receive its neighbor HELLO packets. This can be due to a couple of reasons.

Below are some common causes and suggested solutions.

 

  1. There is a Firewall in-between the OSPF neighbors that drops OSPF multicast packets.
  • If admin access to the Firewall is available, permit 224.0.0.5 from OSPF routers.
  • If no control over the network is available, use UNICAST OSPF.

Reference: Technical Tip: How to configure OSPF over Non-Broadcast link.

  1. One side of the OSPF neighbors uses authentication while the other does not.

    Configure authentication on both sides or remove it from the side that has it configured.

     

     

  2. HELLOs are dropped at Layer 2.

    Troubleshoot the switched network, especially if it was working before. Check for what changed. This may also be a result of broken hardware.

     

     

     

  3. The switched network in-between no longer has Multicast capability.

    Enabling some features can cause the switch to lose Multicast capability. The details of this are beyond this article's scope.

     

     

  4. MTU mismatch between the neighbors.

     

Check the MTU and, if it is different, set the OSPF neighbors to ignore MTU. Alternatively, adjust the MTU to the same size.
Reference: Technical Tip: How is MTU mismatch identified in OSPF.

 

The following commands assist with troubleshooting an OSPF stuck in an INIT state:

Note: Run this on both neighbors.

 

get router info ospf interface

 

  • Check if the MTU is the same on both routers. If not, make them the same or ignore MTU.
  • Look for Tx and Rx HELLO packets. If HELLOs are being dropped, fix the drops.
  • If authentication has been set on only one side, configure it for the other side or remove it from the configured side.

 

Example:

 

get router info ospf interface

portX is up, line protocol is up

  Internet Address 192.168.X.Y/30, Area 0.0.0.0, MTU 1500

  Process ID 0, VRF 0, Router ID 192.168.X.Y, Network Type POINTOPOINT, Cost: 1

  Transmit Delay is 1 sec, State Point-To-Point

  Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5

    Hello due in 00:00:08

  Neighbor Count is 0, Adjacent neighbor count is 0

  Crypt Sequence Number is 7900942

  Hello received 14467 sent 75124, DD received 780 sent 906    <<<<<< HELLOs are being dropped.

  LS-Req received 78 sent 261, LS-Upd received 27423 sent 376

  LS-Ack received 298 sent 24409, Discarded 0

  Cryptographic authentication enabled          <-- Authentication is configured

  Sending SA: Key 1

 

diag sniffer packet any 'host 224.0.0.5' 4

 

  • Check if OSPF multicast is being sent and received or being sent only. If it is 1-way and not 2-ways, OSPF will get stuck in INIT. Fix the drop or use unicast OSPF (set the network type to non-broadcast and specify the neighbor manually).

 

Example of 1-way HELLOs:

 

Line 26: 2.523359 portX out 192.168.X.Y -> 224.0.0.5: ip-proto-89 60
Line 27: 12.493354 portX out 192.168.X.Y -> 224.0.0.5: ip-proto-89 60
Line 28: 22.013359 portX out 192.168.X.Y -> 224.0.0.5: ip-proto-89 60
Line 29: 32.462481 portX out 192.168.X.Y -> 224.0.0.5: ip-proto-89 60
Line 30: 42.251139 portX out 192.168.X.Y -> 224.0.0.5: ip-proto-89 60
Line 31: 51.970889 portX out 192.168.X.Y -> 224.0.0.5: ip-proto-89 60
Line 32: 62.049800 portX out 192.168.X.Y -> 224.0.0.5: ip-proto-89 60
Line 33: 72.219987 portX out 192.168.X.Y -> 224.0.0.5: ip-proto-89 60
Labels:
16550
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.