Guys,
We are working for a financial institution and using more then 800 Mikrotik Routers as Branch End devices. Recently we have upgraded some of the router IOS from 5.20 to 6.28 and 6.29 and we are facing issues with OSPF adjacency. The problem is that OSPF get stuck in EXSTART state and never become full. We are using GRE OVER IPSEC tunnels and running OSPF through it. However when we manually disable and enable the tunnels they start to for adjacency but when the router is rebooted they again get stuck in EXSTART state. We also observed that when we change the mtu to 1300 on both Mikrotik and Cisco Router routers, this problem gets solved. The confusing part is that the mtu and other capabilities are exchanged during EXCHANGE state of OSPF not in EXSTART but due to some strange reasons OSPF gets stuck in EXSTART state. We never encountered such problem with IOS 5.20 and are successfully running the project from last 5 years over those IOS without any OSPF related problems.
The reasons we wanted to upgrade to 6.28 or 6.29 is that we now need SNMP v3 and the older IOS (below 6.28) doesnt support AES encryption only supports DES which is weak.
Please suggest if their is any other way to resolve the issue as changing mtu on 3000 tunnels is not a practical way and theoretically as i said if MTU is mismatched OSPF should stuck at EXCHANGE state not at EXSTART.

is it possible, that OSPF would try to start _before_ tunnels came up? If so, maybe a netwatch would (ugly) workaround this with disable/enable ospf interface when tunnel starts.

Yes it is possible but the point is we have the solution which is also ugly to change MTU on both Hub (cisco) and Spokes (Mikrotik) sites but why should we do that when mtu doesnt have anything to do with OSPF hung in EXSTART state. Also everything was working fine till we were using IOS 5.20 problem starts when we update to IOS 6.28 and 6.29.

I can see several ways in which OSPF will appear to stick at EX START with MTU issues.

The jump from 5.20 to 6.28/29 of ROS (not IOS) is quite a jump so I suggest that you:

a) use the identified work around
b) upload fuller configs for an examination of what is really going on

Did anyone figure this one out?

I'm running into the same problem. Even upgraded the routers to the most recent build (v6.30.1). I also have a ticket open with MikroTik support now (#2015071766000448).

Seems that the adjacency forms between the routers, but then goes out over time. Sort of like the hello packets aren't being received by one of the ends or not always getting replied to or sent by the routers.

This is very odd as I have an extremely simple configuration on these routers, just a basic edge router without any special features on it.

I'd really appreciate any help on this. If I get the solution I will be sure to post for others out there that may be running into the same problem.

We identified that the problem is the new field "actual mtu" with gre tunnels in the newer IOS. We downgraded to IOS like 6.18 and the issue automatically resolved. If you have to use new IOS then u need to match the mtu on both branch and aggregation routers manually. In my case we have 1000 plus spokes and that was not an option on a financial network

Thank you very much for the response.

I have more information regarding this problem as I am not using GRE links here. It appears that most of the OSPF Hello packets are being dropped where-as sometimes (about every 15 minutes) they do arrive properly. I'm trying my best to debug this now.

Thank you very much for the response.

I have more information regarding this problem as I am not using GRE links here. It appears that most of the OSPF Hello packets are being dropped where-as sometimes (about every 15 minutes) they do arrive properly. I'm trying my best to debug this now.

Can you please tell about ur topology ?? also please talk to the ISP about this issue. We had similar problems with OSPF that hello packets are sent from branch router but not received on hub but it was working fine the otherway around. Talked to ISP and they fixed that!!

I'm trying to troubleshoot the problem. However, the issue is that I control the upstream routers as well. I've seen these issues before with carriers, it's just that now I have to figure out how to find where the traffic is getting dropped. Might be a little difficult, but I'll figure it out.

Thanks again for the reply. It's much appreciated.