FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
subramanis
Staff
Staff
Article Id 198551

Description
The OSPF6 adjacencies will not form when the IPV6 enabled interface in different VRF (Example: VRF = 10) than default VRF = 0.

Solution
Interface Configuration.

# config system interface
    edit "wan2"
        set vdom "root"
        set vrf 10                                             <----- Interface is moved to different VRF than default VRF = 0.
        set ip 10.10.10.1 255.255.255.0
        set allowaccess ping https ssh http telnet fgfm
        set type physical
        set role wan
        set snmp-index 2
        # config ipv6
            set ip6-address fd00:0:0:10::1/64
            set ip6-allowaccess ping
        end

OSPF6 configuration.

# config router ospf6
    set router-id 2.2.2.2
    # config area
        edit 0.0.0.0
        next
    end

      # config ospf6-interface
          edit "wan2"
             set interface "wan2"
             set dead-interval 40
             set hello-interval 10
        next
    end

# get router info6 ospf status
 Routing Process "OSPFv3 (root)" with ID 2.2.2.2
 Process uptime is 33 minutes
 SPF schedule delay 5 secs, Hold time between SPFs 10 secs
 Minimum LSA interval 5 secs, Minimum LSA arrival 1 secs
 Number of incomming current DD exchange neighbors 0/5
 Number of outgoing current DD exchange neighbors 0/5
 Number of external LSA 0. Checksum Sum 0x0000
 Number of AS-Scoped Unknown LSA 0
 Number of LSA originated 52
 Number of LSA received 78
 Number of areas in this router is 1
    Area BACKBONE(0) (Inactive)                                <----- OSPF status is inactive.
        Number of interfaces in this area is 0(1)
        SPF algorithm executed 44 times
        Number of LSA 0.  Checksum Sum 0x0000
        Number of Unknown LSA 0
The problem is that IPV6 does not  have two vrf’s in the global routing table which is preventing the OSPF6 forming adjacency but the IPV4 is having two vrf’s in the routing table.
# get router info routing-table details
Routing table for VRF=0
C       10.5.48.0/20 is directly connected, wan1
S       172.0.0.0/8 [10/0] via 10.5.63.254, wan1

Routing table for VRF=10
C       10.10.10.0/24 is directly connected, wan2

# get router info6 routing-table
C       ::1/128 via ::, root, 02w1d12h
Soultion 1: Move the IPv6 interface to default VRF=0.
# config system interface
    edit "wan2"
        set vdom "root"
        set ip 10.10.10.1 255.255.255.0
        set allowaccess ping https ssh http telnet fgfm
        set type physical
        set role wan
        set snmp-index 2
        # config ipv6
            set ip6-address fd00:0:0:10::1/64
            set ip6-allowaccess ping
        end

# get router info6 ospf status
 Routing Process "OSPFv3 (root)" with ID 2.2.2.2
 Process uptime is 47 minutes
 SPF schedule delay 5 secs, Hold time between SPFs 10 secs
 Minimum LSA interval 5 secs, Minimum LSA arrival 1 secs
 Number of incomming current DD exchange neighbors 0/5
 Number of outgoing current DD exchange neighbors 0/5
 Number of external LSA 0. Checksum Sum 0x0000
 Number of AS-Scoped Unknown LSA 0
 Number of LSA originated 55
 Number of LSA received 83
 Number of areas in this router is 1
    Area BACKBONE(0)
        Number of interfaces in this area is 1(1)
        SPF algorithm executed 46 times
        Number of LSA 4.  Checksum Sum 0x1BCA2
        Number of Unknown LSA 0
Soultion 2: Upgrade the firmware to supported version.

Version: FortiGate-80E v7.0.1,build0157,210714 (GA).
# config system interface
    edit "wan2"
        set vdom "root"
        set vrf 10                                             <----- Interface in VRF=10.
        set ip 10.10.10.1 255.255.255.0
        set allowaccess ping https ssh http telnet fgfm
        set type physical
        set role wan
        set snmp-index 2
        # config ipv6
            set ip6-address fd00:0:0:10::1/64
            set ip6-allowaccess ping
        end       
# get router info6 ospf
Routing Process "OSPFv3 (vrf10)" with ID 2.2.2.2
 Process uptime is 2 minutes
 SPF schedule delay 5 secs, Hold time between SPFs 10 secs
 Minimum LSA interval 5 secs, Minimum LSA arrival 1 secs
 Number of incomming current DD exchange neighbors 0/5
 Number of outgoing current DD exchange neighbors 0/5
 Number of external LSA 0. Checksum Sum 0x0000
 Number of AS-Scoped Unknown LSA 0
 Number of LSA originated 3
 Number of LSA received 5
 Number of areas in this router is 1
    Area BACKBONE(0)                                           <----- OSPF status is active.
        Number of interfaces in this area is 1(1)
        SPF algorithm executed 3 times
        Number of LSA 3.  Checksum Sum 0x16353
        Number of Unknown LSA 0
Now the global routing table is having two VRF’s after upgrading the firmware to 7.0.1.
# get router info6 routing-table
Routing table for VRF=0
C       ::1/128 via ::, root, 00:06:51

Routing table for VRF=10
C       fd00::10:0:0:0:0/64 via ::, wan2, 00:04:40
C       fe80::/64 via ::, wan2, 00:04:40




Contributors