Skip to main content
yzayani
Staff
yzayani
Staff
April 27, 2026

Technical Tip: VXLAN BGP Failure After FortiOS v7.4.11

  • April 27, 2026
  • 0 replies
  • 92 views

Description


This article describes a FortiOS VXLAN tunnel failure that began after upgrading to FortiOS v7.4.11: BGP over VXLAN stays in Connect/Active because remote-ip was set to the peer’s BGP router‑ID instead of the peer VTEP IP, and FortiOS v7.4.11 enforces strict VXLAN source‑IP.


Scope


FortiGate-Azure, FortiGate-VM.


Solution


  • BGP over VXLAN (VNI 23) could not reach the Established state.

  • The BGP neighbor continuously moved between Connect and Active, and no routes were exchanged.

  • The issue occurred because the VXLAN remote-ip was mistakenly configured with the peer’s BGP router‑ID (.36) instead of the peer’s actual VTEP interface IP (.37).

  • Starting in FortiOS 7.4.11, VXLAN processing strictly checks that the source IP of incoming UDP/4789 packets matches the configured remote-ip.

  • If the source IP does not match, the FortiGate drops the packet during VXLAN handling. In this case, VXLAN packets were arriving from the correct VTEP IP (.37), but because the FortiGate was configured to expect .36, all packets were discarded.

  • This prevented BGP from receiving any keepalives or updates, causing the session to remain stuck in Connect/Active.

  • Debug excerpts:


diagnose sys vxlan fdb list vxlan_3to2
mac=00:00:00:00:00:00 state=0x0082 remote_ip=10.161.128.36 port=4789 vni=23 ifindex=5


get router info bgp evpn summary

Neighbor 100.192.23.1 State: Active

Packet sniff: shows 10.161.128.37:4789 > 10.160.128.36:4789 and replies 10.160.128.37:4789 > 10.161.128.36:4789 (VTEP NICs used as source; remote-ip was ILB VIP).


Immediate workaround.

Allow multiple remote IPs (accept ILB VIP and real VTEP IPs) on both sides:


config system vxlan
 edit "vxlan_2to3"
  set remote-ip "10.160.128.36" "10.160.128.37" "10.160.128.38"
  next
 end
config system vxlan
 edit "vxlan_3to2"
  set remote-ip "10.161.128.36" "10.161.128.37" "10.161.128.38"
  next
 end


Permanent fix.

Correct the remote-IP to the peer VTEP IPs on each FortiGate:


config system vxlan
 edit "vxlan_2to3"
  set remote-ip "10.160.128.37"
  next
 end
config system vxlan
 edit "vxlan_3to2"
  set remote-ip "10.161.128.37"
  next
 end

      Terms & ConditionsAccessibility statement