FortiOS 5.2.x upgrade issues with OSPF

andreasfelder · ‎11-08-2014

I wanted to post this to make sure that if anybody else runs into this issue they can get this resolved without much digging.

If your Fortigate runs 5.0.x and you upgrade to Fortigate 5.2.x and you use OSPF between this unit and other none 5.2 Fortigates or other vendors you will most likely run into this issue.

After the upgrade you will notice that the OSPF routes are not coming up. When looking at the neighbors info you will see that the routers are stuck in ExtStart. In order to get the routes to come up you will need to ensure that the MTU on the ospf interfaces matches between routers. In the OSPF interfaces config you can set the mtu for each interface.

As soon as the MTU matches the routes should come up.

I hope this helps.

Thanks, Andreas

emnoc · ‎11-08-2014

Yes it's common that MTU mis-match in both OSPF and IS-IS will cause adj issues. You could also have corrected this in the router ospf config ospf-interface

e.g

set mtu-ignore enabke

PCNSE

NSE

StrongSwan

Matthew_Mollenhauer · ‎11-09-2014

You'll also see this issue with MTU mismatch if you run OSPF over an IPSEC connection.

An alternative is to use:

config router ospf

config ospf-interface

edit port1

set mtu xyz

Though we've upgraded a couple of 800C units to 5.2.1 and none of them have had issues with MTU, this is with OSPF to both Cisco 3750X's & to Arista Chassis'. And I'd note the 800C's MTU is still 1500 while the Arista's default is use Jumbo frames.

Regards,

Matthew

veechee · ‎01-26-2016

Thank you so much for posting about this issue. I just did an changeover from a FWF 60C to a FGT 100D, and while I spent hours tweaking the converted config file to eliminate all errors, as well as convert to things such as aggregated interfaces, this OSPF issue happened for me with my head office FGT that is still running 5.0.

Using the mtu-ignore enable fixed the issue immediately.

kovaljoe · ‎02-10-2016

I had the same issue - Once ALL Fortigates were upgraded to firmware 5.2 (there cannot be any device still on 5.0) OSPF worked fine. Wish that was in the documentation.

veechee · ‎03-24-2016

I just had a weird OSPF issue after doing an upgrade from 5.2.5 on FGT-100D at branch office. Head office FGT was already running 5.2.6 for about 30 days and there had been no issues between the units when it had been upgraded.

After upgrading the FGT-100D, the IPSec VPNs showed they were up, but I could not even ping from the head office to branch office. However, from branch to head I could.

- In Routing Monitor, OSPF showed up at branch, but not at head.

- I rebooted head's FGT, and no change.

- I did a file compare and verified the config file was the same after upgrading: they were (except for first two lines as expected).

- I ran a debug to make sure all config file lines had loaded: no issues there either.

- Checking 'get router info ospf neighbor' on both units showed status Full on all links, but still no traffic would pass from head to branch.

- I did notice with 'get router info ospf interface' showed different MTU's for a couple of the links than at the branch office, however, I had 'set mtu-ignore enable' on all interfaces at both head and branch, so this shouldn't matter - I think?

Stumped, I decided to reboot the branch office FGT-100D and see what happened. As soon as it came up from restart, the OSPF came up completely and traffic began to pass. Anyone know why did I have this problem in the first place? Is this something I need to worry about happening again?