Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
greenmug
New Contributor

Upgrade from 5.4 to 5.6 strips OSPF authentication

Hi after an upgrade attempt all traffic stopped flowing.

Upon investigation I found the OSPF interface section has changed considerably and OSPF authentication commands were removed.

 

Is this known? Has anyone had it confirmed as a bug?

Rule base section headers were also removed. I'm concerned there are other features config elements that get removed. I reverted so can't easily check.

 

Any date for the next release of 5.6?

 

 

An example before and after:

 

edit "ospf_int_1" set interface "FM_1" set authentication md5 set md5-key 2 "ENC fasdfasdfsadfsadfqi/T8q3xQ9" set cost 6000 set dead-interval 40 set hello-interval 10

 

 

 

edit "ospf_int_1" set interface "FM_1" set ip 0.0.0.0 set authentication none set prefix-length 0 set retransmit-interval 5 set transmit-delay 1 set cost 6000 set priority 1 set dead-interval 40 set hello-interval 10 set hello-multiplier 0 set database-filter-out disable set mtu 0 set mtu-ignore disable set network-type broadcast set bfd global set status enable set resync-timeout 40 next

4 REPLIES 4
FGTuser
New Contributor III

It might be related to this bug:

 

435124 Cannot establish IPsec phase1 tunnel after upgrading from version 5.4.5 to 5.6.0. Workaround: After upgrading to 5.6.0, reconfigure all IPsec phase1 psksecret settings.

 

Probably OSPF key is lost as well during upgrade.

 

ETA for 5.6.3 was November 22, then November 30,...should be out soon.

greenmug

Thanks @FGTuser for the info.

Looking at the release notes (out yesterday) that bug reference isn't included. I assume this means it didn't make this release?

 

https://docs.fortinet.com/uploaded/files/4088/fortios-v5.6.3-release-notes.pdf

 

It would be useful if anyone had a support ticket relating to this bug if they had confirmation either way. It might be missed from the release notes but included in the firmware. I can't readily test in a lab.

doslager

I just noticed this as well. I am building out a new location with a pair of 200E. I upgraded to the latest firmware (5.6.3, build 1547) and noticed it was not in the OSPF section. 

 

I can revert to 5.4.x, but i would like to put this into production with the latest version. Plus, our other environments will eventually need to be upgraded to 5.6.x and I dont want to break them. It sounds like the MD5 gets stripped out and OSPF just breaks. 

greenmug

Hi, When I encountered this bug I removed OSPF auth from an adjacent router and traffic passed. This means that the MD5 hash deletion was the only issue (with OSPF). So I guess until a fix is in place it would be possible to remove OSPF auth in advance from all adjacencies and therefore not encounter during an upgrade.

 

That said, other posts on this forum suggest 5.6.3 could cause problems in other areas so we won't be using it in production.

Labels
Top Kudoed Authors