Skip to main content
sfernando
Staff
sfernando
Staff
February 19, 2026

Troubleshooting Tip: BGP fails to establish with a VLAN created on the PPPoE interface

  • February 19, 2026
  • 0 replies
  • 234 views
Description This article describes how to handle an issue where BGP neighborship does not come up with a VLAN created on a PPPoE interface due to using 'set source interface' under BGP configuration.
Scope FortiGate.
Solution

In an environment where the ISP connection is delivered as PPPoE and required to have BGP neighborship with a VLAN created on top of the PPPoE, the BGP neighborship will not come up.

 

The following examples show PPPoE configuration on the VLAN and interface.

 

config system interface

    edit "a"
        set vdom "root"
        set allowaccess ping https ssh snmp fgfm
        set type physical
        set lldp-reception enable
        set role wan
        set snmp-index 5

    edit "VLAN100"
        set vdom "root"

        set mode pppoe

        set distance 210

        set allowaccess ping https ssh snmp fgfm

        set role wan

        set snmp-index 116

        set username "xyz"

        set password ENC

        set interface "a"

        set vlanid 100

    next

end

 

On the BGP configuration, do not use 'set source interface' under BGP neighbor. Instead, use 'set update-source' as shown below:

 

config router bgp
    set as 65500
    set router-id 10.9.9.11
        config neighbor
            edit "10.56.10.100"
                set soft-reconfiguration enable
                set remote-as 17473
                set update-source "VLAN100"   <----- Strictly bind BGP to this interface.

            next

end

 

From GUI:

 

Navigate to Network -> BGP -> Neighbors -> Select and edit the neighbor -> Update source:

BGP-update.png

 

When a set interface is configured under a BGP neighbor, the firewall is restricted to establishing BGP sessions only through the specified interface. If the configured interface is not a loop-back, the firewall will use that interface exclusively to initiate BGP connection attempts. It will also reject any incoming BGP connection attempts from the same neighbor that arrive on a different interface, generating the message:

 

Incoming conn <neighbor IP> expected if <interface index> from peer group but received from <interface index>


When 'update-source' is configured on a BGP neighbor, the device uses the configured interface's IP address as the source IP for initiating BGP connections. If there are multiple IPs defined on the interface, FortiGate will try to initiate the connection using the lowest IP address. However, it does not restrict packet reception. FortiGate will still accept connection attempts to different local IP addresses if initiated by the neighbor.

During debugging and sniffer output examination, no BGP communications are initiated when 'set source interface' is used under the BGP configuration, even though the public IP is pingable and port 179 is open.

 

Related article:
Technical Tip: Functionality of 'set interface' and 'set update-source' command under BGP 
Terms & ConditionsAccessibility statement