Description
This article deals with an issue which may occur with OSPF peering not coming up after an upgrade of FortiOS.
This may be due to a change in the algorithm for MTU calculation on IPsec interfaces which is now done with maximum efficiency and MTU values can be higher than in previous versions.
The issue manifests as OSPF over IPsec interface does not form a neighbor ship with peer because the MTU size is not the same on both sides.
Solution
The solution is to set MTU on OSPF interface or configuring mtu-ignore under ‘config router ospf’
1) Configuring MTU.
# config router ospf
# config ospf-interface
edit int_1
set mtu xxxx <----- Desired MTU size.
next
end
end
2) Enable mtu-ignore on the OSPF interface.
# config router ospf
# config ospf-interface
edit int_1
set mtu-ignore enable
end
end
The current MTU on OSPF interface can be verified with the command:
get router info ospf interface
IKE is up, line protocol is up
Internet Address 10.10.0.1/32, Area 0.0.0.0, MTU 1446
