Cisco 3850 To Fortigate 60E OSPF Connection Via EtherChannel

xxsamixx18 · ‎06-07-2025

Hi,

I am trying to set up a connection via OSPF between my Cisco 3850 layer 3 switch and my FortiGate 60E firewall throw OSPF, but it's not working, has anyone done it before. I pasted my configuration below, note if you see misconfiguration it is just me trying different thing to make it work so far no luck.

!
interface Port-channel1
no switchport
ip address 10.240.240.2 255.255.255.252
ip pim sparse-mode
ip ospf authentication-key 7 121A0A05430E470524
ip ospf dead-interval 40
ip ospf mtu-ignore
ip ospf 901 area 0
ip ospf cost 10
ipv6 address 2001:4000:FD60:C10:240:240::/64
ipv6 enable
ipv6 ospf 900 area 0
ipv6 ospf cost 10
end

ITS-Core-BS1#sh run int gi1/1/1
Building configuration...

Current configuration : 141 bytes
!
interface GigabitEthernet1/1/1
description Link To FW-60E
no switchport
no ip address
ip ospf 901 area 0
channel-group 1 mode on
end

ITS-Core-BS1#sh run int gi1/1/2
Building configuration...

Current configuration : 113 bytes
!
interface GigabitEthernet1/1/2
no switchport
no ip address
ip ospf 901 area 0
channel-group 1 mode on
end

config router ospf
set router-id 10.10.0.10
config area
edit 0.0.0.0
next
end

router ospf 901
router-id 10.10.0.100
network 10.10.0.100 0.0.0.0 area 0
network 10.240.240.0 0.0.0.3 area 0

config ospf-interface
edit "CISCO-OSPF"
set interface "Port-Channel 1"
set authentication text
set authentication-key ENC 6EAg4vNk5Wh/bE4QWTApWGmCT3ON8WS+ViZMeWRJRJKvpctlqD2hB+08d5uXP1SsqbPQuaWiipuqrSjUGR/j8BuEH4eOPKm8VdyV7rg8Dsq60cLGXpKKURqqUMkASLOy4Q12gtFE4V+KHtGxvXvostmzBumFcunBP1DuRIgPL2e9i4AKQvbXT4ghEy+AsRnk0whWGg==
set cost 10
set dead-interval 40
set hello-interval 10
set mtu-ignore enable
next
edit "Loop"
set interface "FW OSPF Loop" <<< Passive enabled
set cost 10
set dead-interval 40
set hello-interval 10
next
end
config network
edit 1
set prefix 10.240.240.0 255.255.255.252
next
edit 2
set prefix 10.10.0.10 255.255.255.255
next
end

Leo Laohoo · ‎06-07-2025

For the sake of troubleshooting, I'd remove the OSPF authentication because it is at a broken state (and serves no purpose).

conf t
router ospf 901
 NO passive-interface Po1
end

Next, I'd run a debug from the switch.

1. Disable the port.

2. Command: debug ip ospf events

3. Enable the port

4. Wait for 45 seconds worth of output and disable the debug (undebug all).

5. Put the output from Step 4 into a text file and attach it.

paul driver · ‎06-08-2025

Hello

@xxsamixx18 wrote:

interface Port-channel1
no switchport
ip address 10.240.240.2 255.255.255.252
ip ospf 901 area 0
ip ospf cost 10
ipv6 address 2001:4000:FD60:C10:240:240::/64
ipv6 enable
ipv6 ospf 900 area 0
ipv6 ospf cost 10

router ospf 901
router-id 10.10.0.100

You have OSPV2-3 running so would expect your cfg to accommodate both versions?

ip routing
ipv6 unicast-routing
router ospfv3 901
address-family ipv4 unicast
router-id 10.10.0.100
exit-address-family
address-family ipv6 unicast
router-id 10.10.0.100
exit-address-family

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

xxsamixx18 · ‎06-08-2025

ip routing and ipv6 uncast-routing is enabled