OSPF neighbour relationships are the foundation of any OSPF network. When routers fail to form an adjacency, traffic can be blackholed or suboptimal paths may be used. This guide walks through the systematic troubleshooting of OSPF neighbour issues using real Cisco IOS commands. You'll learn to verify interface states, check OSPF configuration parameters, diagnose authentication mismatches, and resolve MTU problems. Each step includes actual CLI output and configuration snippets to mirror real-world scenarios. Whether you're preparing for the CCNA, ENCOR, or ENSARI exam, mastering these techniques is essential for network engineers.
Verify Interface and IP Connectivity
Start by confirming that the physical and data-link layers are operational. Use 'show interfaces' to check if the interface is up/up and 'show ip interface brief' for a quick status overview. Then ping the neighbour's IP address to ensure Layer 3 reachability. If the ping fails, troubleshoot cabling, VLAN assignment, or IP addressing issues first.
Router# show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.1.1 YES NVRAM up up
Router# ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5)Always check the 'Protocol' column — if it's 'down', there's a Layer 1 or 2 issue.
Do not proceed until ping succeeds. OSPF cannot form without IP connectivity.
Check OSPF Neighbour State
Use 'show ip ospf neighbor' to view the current neighbour state. A full adjacency should show 'FULL/DR' or 'FULL/BDR' on broadcast networks, or 'FULL/-' on point-to-point links. If the state is stuck in INIT, 2WAY, EXSTART, or EXCHANGE, there is a specific problem to address.
Router# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.0.0.2 1 INIT/DR 00:00:32 192.168.1.2 GigabitEthernet0/0If you see no neighbours at all, verify OSPF is enabled on the interface with 'show ip ospf interface'.
A state of 'DOWN' means OSPF is not receiving any Hello packets — check multicast or ACL filters.
Verify OSPF Hello and Dead Timer Consistency
OSPF neighbours must agree on Hello and Dead intervals. Use 'show ip ospf interface GigabitEthernet0/0' to display the configured timers. Compare them with the neighbour's settings. Mismatched timers will prevent adjacency formation. The default Hello timer is 10 seconds on broadcast networks and 30 seconds on non-broadcast.
Router# show ip ospf interface GigabitEthernet0/0
GigabitEthernet0/0 is up, line protocol is up
Internet Address 192.168.1.1/24, Area 0
Process ID 1, Router ID 10.0.0.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 10.0.0.1, Interface address 192.168.1.1
Backup Designated router (ID) 10.0.0.2, Interface address 192.168.1.2
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5Use 'ip ospf hello-interval' and 'ip ospf dead-interval' under the interface to adjust timers.
Changing timers on a production network can cause temporary outages — plan a maintenance window.
Check OSPF Area and Network Type Mismatches
Both routers must be in the same OSPF area and have compatible network types. Use 'show ip ospf interface' to verify the area ID and network type. Common mismatches include one side configured as point-to-point and the other as broadcast. Use 'ip ospf network point-to-point' to align them if needed.
Router# show ip ospf interface GigabitEthernet0/0 | include Area|Network Type
Internet Address 192.168.1.1/24, Area 0
Process ID 1, Router ID 10.0.0.1, Network Type BROADCAST, Cost: 1On point-to-point links, setting 'ip ospf network point-to-point' eliminates DR/BDR election and speeds up convergence.
Mismatched network types (e.g., broadcast vs. non-broadcast) will cause neighbours to stay in EXSTART/EXCHANGE.
Verify OSPF Authentication Configuration
If authentication is configured, both sides must use the same authentication type and key. Use 'show ip ospf interface' to check if authentication is enabled. For MD5 authentication, verify the key ID and key string match. Use 'debug ip ospf adj' to see authentication failures in real time.
Router# show ip ospf interface GigabitEthernet0/0 | include auth
Simple password authentication enabled
Router# debug ip ospf adj
OSPF adjacency debugging is on
*Mar 1 00:05:23.123: OSPF: Rcv pkt from 192.168.1.2, GigabitEthernet0/0 : Mismatch Authentication type. Input packet specified type 1, we use type 0Always use 'key chain' with MD5 authentication for better security and key rotation.
Authentication mismatches are silent — no error log unless debugging is enabled.
Check MTU and IP MTU Consistency
OSPF uses the interface MTU to determine the maximum packet size during the Database Description (DBD) exchange. If MTUs differ, the adjacency will stall in EXSTART/EXCHANGE. Use 'show interfaces' to verify MTU on both sides. The default MTU on Cisco IOS is 1500 bytes. Use 'ip mtu' to adjust if necessary.
Router# show interfaces GigabitEthernet0/0 | include MTU
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
Router# show ip ospf neighbor 192.168.1.2 detail | include State
Neighbor 10.0.0.2, interface address 192.168.1.2
State: EXSTART/DRA neighbour stuck in EXSTART/EXCHANGE is almost always an MTU mismatch — check both sides.
Changing MTU on a live interface may cause fragmentation issues for other protocols.
Review OSPF Router ID and Process ID
Each OSPF router must have a unique Router ID. Use 'show ip ospf' to display the Router ID. If two routers share the same ID, OSPF will not form an adjacency. The Router ID is chosen from the highest loopback IP or highest active interface IP. Use 'router-id' under the OSPF process to manually set it.
Router# show ip ospf
Routing Process "ospf 1" with ID 10.0.0.1
Start time: 00:01:23.456, Time elapsed: 2w3d
Router# configure terminal
Router(config)# router ospf 1
Router(config-router)# router-id 10.0.0.3
Router(config-router)# end
Router# clear ip ospf processAlways configure a loopback interface with a unique IP as the Router ID for stability.
Changing the Router ID requires a 'clear ip ospf process' which resets all adjacencies.
Key tips
Use 'debug ip ospf adj' sparingly in production — it can spike CPU usage. Always set a 'debug timestamp' first.
Keep a baseline of 'show ip ospf neighbor' output during normal operations to quickly spot anomalies.
On multi-access networks, ensure the DR and BDR have the highest priorities using 'ip ospf priority'.
If OSPF neighbours keep flapping, check for duplex mismatches or errors on the interface with 'show interfaces counters errors'.
Use 'show ip ospf database' to verify that LSAs are being exchanged correctly after adjacency forms.
For exam scenarios, remember that OSPF neighbour states follow a strict progression: DOWN -> INIT -> 2WAY -> EXSTART -> EXCHANGE -> LOADING -> FULL.
Frequently asked questions
Why is my OSPF neighbour stuck in INIT state?
The INIT state means your router has received a Hello packet from the neighbour but the neighbour has not seen your Hello. This usually indicates a unicast reachability issue or an ACL blocking multicast (224.0.0.5). Verify that 'ip ospf hello-interval' matches and that no inbound ACL is dropping OSPF packets.
What causes OSPF neighbours to stay in 2WAY state?
The 2WAY state is normal on broadcast networks for non-DR/BDR routers. If you expect a FULL adjacency, check that the interface network type is not set to 'non-broadcast' or 'point-to-multipoint'. On point-to-point links, neighbours should transition directly to FULL.
How do I fix an OSPF MTU mismatch?
First, identify the MTU on both interfaces using 'show interfaces'. If they differ, configure the same MTU on both sides using 'ip mtu <value>' under the interface. After changing MTU, clear the OSPF process with 'clear ip ospf process' to re-establish the adjacency.
Can OSPF work across a firewall?
Yes, but you must permit OSPF traffic: IP protocol 89 for OSPF, or multicast addresses 224.0.0.5 (all OSPF routers) and 224.0.0.6 (DR/BDR). Some firewalls require you to allow OSPF as a protocol rather than a port. Also ensure that the firewall does not fragment OSPF packets.
What is the difference between OSPFv2 and OSPFv3?
OSPFv2 is used for IPv4 networks and uses IP protocol 89 with multicast addresses 224.0.0.5 and 224.0.0.6. OSPFv3 supports IPv6 and uses link-local addresses for neighbour discovery. OSPFv3 also uses different LSA types and has a different packet format. Both versions can run simultaneously on the same interface.
Related glossary terms
Dynamic route
A route that is automatically learned and updated by a router using a routing protocol, rather than being manually configured.
Bash script
A Bash script is a text file containing a sequence of commands for the Unix shell Bash, allowing users to automate repetitive tasks and streamline system administration on Linux and macOS.
File Transfer Protocol
File Transfer Protocol (FTP) is a standard network protocol used to transfer files between a client and a server over a TCP/IP network.
Public IP address
A globally unique IP address assigned to a device that allows it to communicate directly over the internet.
Persistent Disk
Persistent Disk is a durable, high-performance block storage service for Google Cloud virtual machines that retains data even after the VM is shut down or deleted.
Extensible Authentication Protocol
Extensible Authentication Protocol (EAP) is a flexible authentication framework used in network access control, particularly in wireless and point-to-point connections, that supports multiple authentication methods without requiring changes to the underlying protocol.
Practice with real exam questions
Apply what you just learned with exam-style practice questions.