OSPF error

RouterOS Forwarding Protocols
1

Greetings,

I configured 4 routers using the same OSPF configuration.

router1 - 192.168.10.254
router2 - 192.168.10.225
router3 - 192.168.10.245
router4 - another network on router1

router3 was working fine, until I made a firmware upgrade on the routerboard.
Yesterday, I made another upgrade on all routers to version 6.28, but the problem on this routerboard was still there.

Apr 24 14:33:45 mkt-router1 Discarding packet: wrong authentication type
Apr 24 14:33:45 mkt-router1     mine=cryptographic authentication
Apr 24 14:33:45 mkt-router1     message=null authentication
Apr 24 14:33:45 mkt-router1     source=192.168.10.245
Apr 24 14:33:45 mkt-router2 Discarding packet: wrong authentication type
Apr 24 14:33:45 mkt-router2     mine=cryptographic authentication
Apr 24 14:33:45 mkt-router2     message=null authentication
Apr 24 14:33:45 mkt-router2     source=192.168.10.245
Apr 24 14:33:46 mkt-router1 OSPFv2 neighbor 192.168.10.245: state change from ExStart to Init
Apr 24 14:33:46 mkt-router2 OSPFv2 neighbor 192.168.10.245: state change from Full to Init
Apr 24 14:33:54 mkt-router1 Ignoring Link State Acknowledgment packet: wrong peer state
Apr 24 14:33:54 mkt-router1     state=ExStart
Apr 24 14:34:04 mkt-router3 Ignoring Link State Acknowledgment packet: wrong peer state
Apr 24 14:34:04 mkt-router3     state=ExStart
Apr 24 14:34:33 mkt-router1 OSPFv2 neighbor 192.168.10.245: state change from ExStart to 2-Way
Apr 24 14:34:33 mkt-router3 OSPFv2 neighbor 192.168.10.254: state change from ExStart to 2-Way
Apr 24 14:35:13 mkt-router1 OSPFv2 neighbor 192.168.10.245: state change from ExStart to 2-Way
Apr 24 14:35:13 mkt-router3 OSPFv2 neighbor 192.168.10.254: state change from ExStart to 2-Way
Apr 24 14:35:53 mkt-router1 OSPFv2 neighbor 192.168.10.245: state change from ExStart to 2-Way
Apr 24 14:35:53 mkt-router3 OSPFv2 neighbor 192.168.10.254: state change from ExStart to 2-Way
Apr 24 14:36:33 mkt-router1 OSPFv2 neighbor 192.168.10.245: state change from ExStart to 2-Way
Apr 24 14:36:33 mkt-router3 OSPFv2 neighbor 192.168.10.254: state change from ExStart to 2-Way
Apr 24 14:37:13 mkt-router1 OSPFv2 neighbor 192.168.10.245: state change from ExStart to 2-Way
Apr 24 14:37:13 mkt-router3 OSPFv2 neighbor 192.168.10.254: state change from ExStart to 2-Way

Any ideas?
Thank you!

2

If you haven’t made any other changes other than a code upgrade then you may be looking at a bug.

Two things I would try to stabilize it are:

  1. Turn off authentication, if enabled and ensure the settings match on each side
  2. Going from EXSTART to 2-WAY back and forth can be a sign of MTU mismatch. Verify that L3 MTU values are the same for the subnet you are forming the adjacency on.
3

Hello, I already removed the ospf configuration of the 4 routers and reconfigured from scratch. Same issue.
Now I followed your suggestion and tested without authentication, but the issue stills there.

A bit unrelated: I tested with RIPv2 between the 4 routers and it is working as expected.

The interface MTU are the default values on all routers: MTU 1500 / L2 MTU 1598. I’m not using any tunnel or vlan configuration.

Thank you

4

Have you tried rolling back to 6.27 with the exact same config?

5

I don't really remember what versions I was using, but let's say that:

I was running version 6.14 and configured ospf. Working without any issues.
Then I upgraded the 4 routers to version 6.22 and ospf broke on router3.

After a while, I tried to upgrade to version 6.24 or 26 just to check if the problem was fixed without any success.

Yesterday, I upgraded all the routers to version 6.28 just as a new try and reconfigured from scratch. removed all the rules from ospf and started again (all routers). Same issue

Just wondering, on my log messages, I can see:

Apr 24 14:33:45 mkt-router2 Discarding packet: wrong authentication type
Apr 24 14:33:45 mkt-router2     mine=cryptographic authentication
Apr 24 14:33:45 mkt-router2     message=null authentication
Apr 24 14:33:45 mkt-router2     source=192.168.10.245

Is the router failling to send the correct authentication?

\

Since RIPv2 worked without any issues, I guess that I will just leave ospf for now and downgrade to RIP :stuck_out_tongue:
ospf really sounds nice, but my installation is quite small, I'm mostly using dynamic routing because I'm lazy lol.

A bit offtopic: I know that for RIPv2 you can sniff the network to grab the md5 key and them craft some rip packets and inject routes on the routers. Does ospf suffers from the same problem? For what I can see on routeros, their authentication method is almost the same.
I know that ospf is way fancier than ripv2, but in terms of security? are they the same?

Thank you.

6

Can you post your ospf config for each of the routers?

Assuming there are no config issues, I would go back to somewhere around 6.19. This has been a very stable code for most of the routing protocols.

7

I have ospf working on 6.27, the new 6.28 broke everything for me. Rolling back is good if its working.

8

Hi,

what happen when you upgrade to 6.28 ?

9

initially all went well with upgrading, after like 24 hrs, we had issues with a router, and restarting it we lost connection, this did not work till we restarted another one and it was like that for most of the time and eventually most of our links were down, the only way to bring them back were to restart manually with power on off, so we started downgrading one by one and everything is stable as it was before till now.

10

Just noticed this thread. I can confirm something is wrong with OSPF or some protocol in v6.28.

http://forum.mikrotik.com/t/v6-28-ospf-bgp-mpls-bug/87890/1