To be A CyberMan: Firewall Troubleshooting 3: OSPF Neighbor stuck in EXSTART/EXCHANGE state

Network Diagram
-----------------------------------------------------------------------------------------


Background
-----------------------------------------------------------------------------------------
The Network Infrastructure is: FortiGate SD-WAN with OSPF over IPSec
From Site, D 172.16.4.0/24 has the Call Center Software connected to Client E 172.16.5.0/24 Call Service.
You can check out how to set up SD-WAN on Fortigate on this youtube link:https://www.youtube.com/watch?v=JSYC0mqXnrg

Issue
-----------------------------------------------------------------------------------------
We notified that the calls from SiteD were of poor quality.
 
Troubleshoot
-----------------------------------------------------------------------------------------
The call quality issue usually related to the Network connection. So we start troubleshooting from the network connection.
    1. Test the network connection from Site D to Client E
        We are able to reach to Client E call service IP.

    2. Check Routing table on Client D site Firewall:

            FWSiteD # get router info routing-table all
            O E2 172.16.5.0/24 [110/1] via 172.16.4.251, SiteA, 6d02h41m
            [110/1] via 172.16.4.252, SiteB, 6d02h41m

            The firewall was not routing to Client E properly. The OSPF route was routing over the Site A and Site B tunnel. We wanted the network to route over the Site C tunnel.

    3. Check OSPF neighbor table on Client D site Firewall:
        Neighbor ID Pri State Dead Time Address Interface
        172.16.3.1 1 Exchange/ - 00:00:34 172.16.4.253 Site C
        172.16.1.1 1 Full/ - 00:00:40 172.16.4.251 Site A
        172.16.2.1 1 Full/ - 00:00:38 172.16.4.252 Site B

        We can see at the neighbor table the tunnel to Toronto was stuck in Exchange.
        In order to become an OSPF neighbor, the following values must be matched on both routers.
            Area ID
            Authentication
            Hello and Dead Intervals
            Stub Flag
            MTU Size

    4. Check OSPF status

        FWSiteD # get router info ospf status
        FWSiteD # get router info ospf interface

        After taking a look at the tunnel interfaces the MTU size was mismatched on either end of the tunnel:
         Site D: MTU 1422
         Site C: MTU 1438

Remediation
-----------------------------------------------------------------------------------------
The issue can be resolved by either configuring the same MTU on both OSPF interfaces or enabling MTU-ignore on the OSPF interface.
1) Configure MTU on the OSPF Interface to match the neighbor OSPF interface
    FWSiteD #config router ospf
    FWSiteD #config ospf-interface
    FWSiteD #edit OSPF1
    FWSiteD #set mtu 1438

After this change was made our neighbor state was changed to Full

 Neighbor ID Pri State Dead Time Address Interface
        172.16.3.1 1 Full/ - 00:00:34 172.16.4.253 Site C
        172.16.1.1 1 Full/ - 00:00:40 172.16.4.251 Site A
        172.16.2.1 1 Full/ - 00:00:38 172.16.4.252 Site B

The routing table now showed network 172.16.5.0/24 going over the Site C tunnel:

 O E2 172.16.5.0/24 [110/1] via 172.16.4.253, Site C, 0d00h32m
          
This fixed the call quality issues.


References:
-----------------------------------------------------------------------------------------
FortiGate CLI Reference
https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/883627/router-info-ospf
OSPF Neighbor Problems Explained
https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13699-29.html
OSPF Neighborship Condition and Requirement
https://www.computernetworkingnotes.com/ccna-study-guide/ospf-neighborship-condition-and-requirement.html
FortiGate Configuring SD-WAN with an IPSec VPN and OSPF over IPSec
https://www.youtube.com/watch?v=JSYC0mqXnrg
Troubleshooting Note: OSPF Neighbour stuck in EXSTART/EXCHANGE state
https://kb.fortinet.com/kb/documentLink.do?externalID=FD35341
FortiOS 6.0.0 Handbook: Troubleshooting OSPF
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/809463/troubleshooting-ospf
Troubleshooting tips for FortiOS routing (RIP, OSPF, BGP, static routes, ECMP)
https://kb.fortinet.com/kb/documentLink.do?externalID=FD31207

Comments

Post a Comment

Popular posts from this blog

To Be A CyberMan: Installing PfSense on a WatchGuard Firebox

Image
OX01 Preface My company recently upgraded its firewall to FortiGate Firewall.  They eliminated 3 of the licenses expired WatchGuard Firebox Firewalls. The WatchGuard FireBox models are XTM5 Series, M400, and M470. I was wondering if I can install the opensource Firewall application such as PfSense on FireBox to use as Testing Lab Environment. 0X02 Information      XTM5 Series comes with a 1GB CF card, free space is not enough for the lastest Pfsense,  need to add additional Hard Disk as PfSense system booting drive.     M400 comes with a 4 GB CF card, can use CF card as a PfSense system booting drive.     M470 comes with mSTAT SSD.  can SSD as a PfSense system booting drive. 0X03 Installing PfSense on M400 1. Preparation:           WatchGuard Firebox M400 Appliance          A USB Flash Drive          A CF Card USB reader          A co...
Read more

How I passed the CSX Fundamentals within one month

Image
  How I passed the CSX Fundamentals within one month Hi Guys, My name is Trevor Shi. I just passed the CSX within one month. I would like to share some experience maybe it will help you guys to prepare the exam. One of the funny things was, I used one month to learn it. But I spent the other one month to book the exam. I re-booked 5 times of exam as ISACA PSI online exam application has lots of issues.  I met every situation you can imagine. The first-time ISACA website down, the second-time they canceled my booked without excuse, the third-time application couldn't open, and the Fourth time was my fault, I just missed the exam. Finally, I got this certificate. We had a small group named CyberRookie, It just like an unorganized cyber knowledge self-studying group, we are trying to be more organized. So t he purpose of this article is as a guideline of the CyberRookie Project CSX certification learning method . A. The Cybersecurity Fundamentals Certific...
Read more

To Be A CyberMan: Set Up SFTP Server On Azure VM behind FortiGate Firewall

Image
1. Business request     S et up a file transfer server with public internet access.  2. security concern      The common ways are FTP, FTPS, or SFTP:     The FTPS requires applying the certificates to the FTP service,  So I deceived to go for SFTP.       SolarWinds SFTP & SCP Server is a Free SFTP server App. 3. Deployment     3.1  Set up SFTP on VM          Download the software to Server and install it                https://www.solarwinds.com/free-tools/free-sftp-server          Redirect the Root Directory           Create user to login           verify the SFTP service is running on localhost     3.2 Config Host firewall and  Azure NSG to allow SFTP service           Add Port 22 TCP into host firewall ...
Read more