Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mtse
Staff
Staff

Created on ‎03-09-2020 02:57 AM Edited on ‎06-09-2022 02:35 PM By Anonymous

Article Id 191900

Technical Tip: Difference in sequence numbers of LSA in OSPF DB captured

Description
This article describes why OSPF LSA sequence numbers in OSPF database may be different in Fortigates participating in the same OSPF area.

Solution
In OSPF, each router generates LSA with a sequence and floods it to the OSPF area.
In the next update, a new LSA with sequence number incremented by one will be used.

Supposedly the sequence number of the same LSA in different OSPF routers is the same.
But it is also possible to see differences in sequence number in OSPF DBs captured in different Fortigates.

example:

FortiGate 1

# get router info ospf database brief
                Router Link States (Area 10.11.0.0)
Link ID         ADV Router      Age  Seq#     CkSum Flag Link count
10.10.20.11    10.10.20.11      583  8001968f 4136  0012 14
10.10.20.13    10.10.20.13      796  80017113 d7f2  0012 14
...
10.11.20.11   10.11.20.11       1498 8000262d 7cad  0012 17                 <----- seq nbr is different from FortiGate 2 below.
10.11.20.12   10.11.20.12       1754 800194f1 694a  0012 36                 <----- seq nbr is different from FortiGate 2 below.

FortiGate 2

# get router info ospf database brief
                Router Link States (Area 10.11.0.0)
Link ID         ADV Router      Age  Seq#     CkSum Flag Link count
10.10.20.11    10.10.20.11      1171 8001968f 4136  0012 14
10.10.20.13    10.10.20.13      1384 80017113 d7f2  0012 14
10.11.20.11   10.11.20.11       275  8000262e 7aae  0012 17                 <----- seq nbr is different from FortiGate 1 above.
10.11.20.12   10.11.20.12       520  800194f2 674b  0012 36                 <----- seq nbr is different from FortiGate 1 above.

This is because according to RFC 2328 (section 12.4), a new instance of LSA is originated when 'LSR Refresh timer (30min)' is reached.
The new LSA’s sequence number will increment by one.

That is, FortiGate 2 has received new LSA refresh from the routers originating those LSAs.
FortiGate 1 has received the same LSA refresh too but it was just because the OSPF database of FortiGate 2  was captured at a later moment that the change was only reflected in the newer capture of FortiGate 2.

The elapsed time of the FortiGate 2 capture after FortiGate 1 can also be deduced.

Example:

10.10.20.11    1171-583 = 588 seconds
10.10.20.13    1384-796 = 588 seconds

So the OSPF DB of FortiGate 2 was captured about 588 seconds after FortiGate 1 was captured. During this period, some of the LSAs have been refreshed (every 30min or 1800 seconds) and these new changes were only reflected in the new CLI capture of FortiGate 2.
Also it can be noticed that the sequence numbers of the updated LSAs were all incremented by 1 (e.g. 8000262d vs 8000262e) and the age was relatively small (e.g. 275 and 520 seconds).

Related link:

Subnet calculator: https://tools.ietf.org/html/rfc2328

 

1286
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.