Technical Tip: VIP configured causing issues for BGP peering
Description
This article explains that VIP configuration can cause problems with BGP between two peers to come up.
Explanation.
With the following NAT configured, there will be issues faced with inbound traffic, as all traffic will destined to 10.20.10.10 will be translated to 192.168.1.1.
Local or remote BGP neighbor can initiate the TCP connection.
Consider the example as below:
1) BGP peering working if traffic initiated via FortiGate.
TCP connection is initiated via FortiGate so no issues are faced. Checking the port details in the output below, it shows as follow:
TCP connection is initiated by remote Peer and BGP peering may not come up.
Checking the port details in the output below, it shows as follow:
In addition, the next hop interface details are not correct.
Solution
Solution can be as follows:
1) Do not configure the VIP to translate all traffic. All inbound connections, which in this case are for BGP, would be translated, and if the translated address is not configured as BGP peer, BGP peering will not come up.
2) FortiGate can initiate a TCP connection with the following command '# execute router clear bgp ip peer-ip x.x.x.x'. However, this is not the permanent solution because if BGP peering goes down and remote BGP neighbor again initiates the TCP connection, BGP peering will not come up.
This article explains that VIP configuration can cause problems with BGP between two peers to come up.
Explanation.
With the following NAT configured, there will be issues faced with inbound traffic, as all traffic will destined to 10.20.10.10 will be translated to 192.168.1.1.
# config firewall vipBGP configuration.
edit "nat-in "
set extip 10.20.10.10
set mappedip "192.168.1.1"
set extintf "any"
set arp-reply disable
next
end
# config router bgpWhen BGP peering is established, the neighbors need to form a TCP connection on port 179.
set as xx
set router-id 10.20.10.10
set graceful-restart enable
# config neighbor
edit "10.20.10.9"
set interface "port1"
set remote-as xx
next
end
end
Local or remote BGP neighbor can initiate the TCP connection.
Consider the example as below:
1) BGP peering working if traffic initiated via FortiGate.
TCP connection is initiated via FortiGate so no issues are faced. Checking the port details in the output below, it shows as follow:
Local port: 10457FortiGate is using TCP port as 10457 and for remote BGP neighbor using port 179.
Foreign port: 179
# get router info bgp neighbors 10.20.10.92) BGP peering not working if traffic initiated by Remote BGP Neighbor:
……
Connections established 3; dropped 2
External BGP neighbor may be up to 255 hops away.
local host: 10.20.10.10, Local port: 10457
Foreign host: 10.20.10.9, Foreign port: 179
Nexthop: 10.20.10.10
Nexthop interface: ports
TCP connection is initiated by remote Peer and BGP peering may not come up.
Checking the port details in the output below, it shows as follow:
Local port: 179Remote BGP Neighbor is using TCP port as 8097 and is using port 179 for FortiGate.
Foreign port: 8097
# get router info bgp neighbors 10.20.10.9In the above output, it is possible to see that instead of local host as 10.20.10.10, the FortiGate is having local host as 192.168.1.1, which is the VIP mapped IP address.
……
Connections established 1; dropped 0
External BGP neighbor may be up to 255 hops away.
local host: 192.168.1.1, Local port: 179
Foreign host: 10.20.10.9, Foreign port: 8097
Nexthop: 192.168.1.1
Nexthop interface: loopback
In addition, the next hop interface details are not correct.
Solution
Solution can be as follows:
1) Do not configure the VIP to translate all traffic. All inbound connections, which in this case are for BGP, would be translated, and if the translated address is not configured as BGP peer, BGP peering will not come up.
2) FortiGate can initiate a TCP connection with the following command '# execute router clear bgp ip peer-ip x.x.x.x'. However, this is not the permanent solution because if BGP peering goes down and remote BGP neighbor again initiates the TCP connection, BGP peering will not come up.