• The following log msg was seen on the network device running OSPF.
• The messages varies depending on the network device.

YYYY-MM-DDTHH:MM:SS ospf default [#####]: TID #####:ospfv2_verify_authentication:250:(###############) Mismatch in authentication sequence in packet from ###.###.###.### on Vlan###, has 0x########, ours was 0x########!

• Packet captures revealed that packets are re-ordered at EDGE uplink/datapath interfaces.
• The OSPF neighborship will flap if the network device detects a sequence number mismatch in consecutive OSPF HELLO packets. Based on the OSPF configuration, if the dead interval is set to 4 times the hello interval, the OSPF neighborship will flap when the device receives 4 consecutive OSPF HELLO packets with mismatched sequence numbers.

FRR's OSPF process generates the OSPF HELLO and LSA-ACKs by incrementing the auth sequence numbers as expected. Since these two packets are destined to two different multicast destination addresses (224.0.0.5 and 224.0.0.6), they are being transmitted independently.
This could cause the transmission of packets in the reverse order, leading to sequence number mismatch on the network devices.
Parallel traffic for high performance has impacts the use case for sequential flows.

This issue can be caused only when MD5 authentication is enabled since MD5 uses the authentication sequence number.
This issue can be avoided by using the following approaches.
1) Disable the OSPF authentication on the edge nodes and network device.
2) NSX-T provides simple password authentication in OSPF. This issue can be avoided using simple password authentication instead of MD5 authentication.