Technical Tip: BGP peering issues with third party routers
Description
This article addresses an issue where BGP peering may not be able to establish even though connectivity (PING, TCP) is OK.
Scope
FortiOS v5.2 and above.
Solution
Collect a sniffer trace on the FortiGate using:
diagnose sniff packet any 'host <remote peer> and tcp port 179' 4 0 l
The TCP 3-way handshake (Syn/Syn-Ack/Ack) will be seen but quickly followed by FIN, RST.
v501 out syn 4224897778
v501 in syn 1861781389 ack 4224897779
v501 out ack 1861781390
v501 in psh 1861781390 ack 4224897840
v501 out ack 1861781456
v501 out psh 4224897840 ack 1861781456
v501 out fin 4224897861 ack 1861781456
v501 in ack 4224897862
v501 in psh 1861781456 ack 4224897862
v501 out rst 4224897862
v501 out ack 1861781390
v501 in psh 1861781390 ack 4224897840
v501 out ack 1861781456
v501 out psh 4224897840 ack 1861781456
v501 out fin 4224897861 ack 1861781456
v501 in ack 4224897862
v501 in psh 1861781456 ack 4224897862
v501 out rst 4224897862
Collect the output of:
diagnose ip router bgp all enable
diagnose debug enable
The above debug command will collect logs against all BGP peers on this router (FortiGate). In an environment where multiple BGP are peering, if the FortiGate is running v7.2.0 and above, it is possible to collect the BGP log against the single router under troubleshooting, therefore saving time to search through unnecessary logs. Follow this KB article for more details: Technical Tip: Capture BGP debugs for a specific neighbor.
diagnose debug reset <- To clear any existing settings.
diagnose ip router bgp all enable
diagnose ip router bgp level info
diagnose ip router bgp set-filter neighbor x.x.x.x <- IP address of the peer being troubleshoot.
diagnose debug enable
diagnose ip router bgp all enable
diagnose ip router bgp level info
diagnose ip router bgp set-filter neighbor x.x.x.x <- IP address of the peer being troubleshoot.
diagnose debug enable
If the output shows messages as below:
Outgoing [FSM] State: OpenSent Event: 22"
Outgoing [DECODE] Open Cap: Cap Code 66, Cap Len 0"
Outgoing [DECODE] Open Cap: unrecognized capability code 66 len 0"
id=20301 logdesc="Routing log" msg="BGP: [GRST] Timer Announce Defer: Check"
Outgoing [DECODE] Open Cap: Cap Code 67, Cap Len 3"
Outgoing [DECODE] Open DYN: Cap-length error 3"
Outgoing [ENCODE] Msg-Hdr: Type 3"
id=20301 logdesc="Routing log" msg="BGP: %BGP-3-NOTIFICATION
Outgoing [DECODE] Open Cap: unrecognized capability code 66 len 0"
id=20301 logdesc="Routing log" msg="BGP: [GRST] Timer Announce Defer: Check"
Outgoing [DECODE] Open Cap: Cap Code 67, Cap Len 3"
Outgoing [DECODE] Open DYN: Cap-length error 3"
Outgoing [ENCODE] Msg-Hdr: Type 3"
id=20301 logdesc="Routing log" msg="BGP: %BGP-3-NOTIFICATION
Then the issue is capability 66, which is deprecated (2003-03-06).
Since FortiGate's 'bpg capability-dynamic' is disabled by default, one solution is to disable BGP dynamic capability on the CISCO unit:
Since FortiGate's 'bpg capability-dynamic' is disabled by default, one solution is to disable BGP dynamic capability on the CISCO unit:
N7K(config-router-neighbor)#
router bgp 65100
neighbor x.x.x.x
no dynamic-capability
The following is the list of capabilities not supported by FortiGate, and should be disabled from the neighbor (BGP):
- Open Cap: unrecognized capability code 70 len 0 <----- Enhanced Route Refresh Capability.
- Open Cap: unrecognized capability code 6 len 0 <----- BGP Extended Message.
- Open Cap: unrecognized capability code 66 len 0 <----- Deprecated (2003-03-06).
- Open Cap: unrecognized capability code 73 len 21 <----- FQDN Capability.
- Open Cap: unrecognized capability code 71 len 7 <----- Long-Lived Graceful Restart (LLGR) Capability.