Troubleshooting Tip: BGP session flapping in ADVPN hub FortiGate with SD-WAN embedded measured health enabled

When BGP passive mode is disabled on the ADVPN hub FortiGate, SD-WAN health-check events can trigger repeated BGP session resets.

 

When a health check exceeds the configured Service Level Agreement thresholds, the hub resets the BGP session. Check from the hub side with the following commands:

 

diagnose system sdwan health-check remote get router info bgp summary

 

 

After the health check recovers and returns to an acceptable state, the hub resets the BGP session again, which results in visible BGP flapping.

 

 

This behavior occurs only when BGP passive mode is disabled on the ADVPN hub.

To resolve this issue, verify that BGP passive mode is enabled on the hub neighbor group.

 

config router bgp     config neighbor-group         edit <group-name>             set passive enable <--- (default: enable)         next     end end

 

Additionally, review the SD-WAN health-check configuration on both the hub and spoke FortiGate devices. Ensure that recovery time and SLA thresholds, such as latency, jitter, and packet loss, are aligned with application tolerance levels in order to avoid unnecessary traffic failover between SD-WAN members.

 

config system sdwan     config health-check         edit <Healthcheck-name>             set recoverytime 4 <---                 config sla                     edit <id>                         set latency-threshold 20 <-----                         set jitter-threshold 20 <-----                         set packetloss-threshold 2 <-----                     next                 end             next   end end