Troubleshooting Tip: No BGP neighbor information in FortiGate when configured with neighbor-group

When BGP peers are from the same subnet, FortiGate can be configured using neighbor-group and range options instead of configuring each BGP peer.

This is useful in Hub and spoke implementation, where dial-up clients are from the same IP range or subnet and initiate the BGP once the VPN gets connected.

When FortiGate is configured with a neighbor-group and range, FortiGate will only respond to BGP requests and establish the BGP peering when there is a request.

In the scenario below:

To minimize the configuration as mentioned earlier, neighbor-group and range should not be used here since all of the BGP peers will become passive (even disabling passive will not help), and none of the FortiGates will initiate the BGP connection.
In this condition, BGP status will not provide any kind of information about BGP neighborship.

Fortinet1 configuration:

config router bgp
    set as 64512
        config neighbor-group
            edit "192"
                set passive disable
                set soft-reconfiguration enable
                set remote-as 64512
                set route-reflector-client enable
            next
        end
        config neighbor-range
            edit one
                set prefix 192.168.0.0 255.255.248.0
                set neighbor-group "192"
            next
        end
        config network
            edit 1
                set prefix 10.10.50.0 255.255.255.0
            next
        end
end

Fortinet2 configuration:

config router bgp
    set as 64512
        config neighbor-group
            edit "192"
                set soft-reconfiguration enable
                set remote-as 64512
                set route-reflector-client enable
            next
        end
        config neighbor-range
            edit "one"
                set prefix 192.168.2.0 255.255.255.0
                set neighbor-group "192"
            next
        end
        config network
            edit 1
                set prefix 10.10.20.0 255.255.255.0
            next
        end
end

Status:

Fortinet1:

Fortinet1 # diagnose sniffer packet any " port 179" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[ port 179]
^C
0 packets received by filter
0 packets dropped by kernel

Fortinet1 # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
> - selected route, * - FIB route, p - stale info

Routing table for VRF=0
C *> 10.10.50.0/24 is directly connected, loopback
C *> 192.168.2.0/24 is directly connected, port3
C *> 192.168.3.0/24 is directly connected, port2
C *> 192.168.5.0/24 is directly connected, port1

Fortinet1 # get router info bgp summary

Fortinet1 # get router info bgp neighbors
% No neighbor exist

Fortinet2:

Fortinet2 # diagnose sniffer packet any " port 179" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[ port 179]
^C
0 packets received by filter
0 packets dropped by kernel

Fortinet2 # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
> - selected route, * - FIB route, p - stale info

Routing table for VRF=0
C *> 10.10.20.0/24 is directly connected, loopback
C *> 192.168.1.0/24 is directly connected, port1
C *> 192.168.2.0/24 is directly connected, port2

Fortinet2 # get router info bgp summary

Fortinet2 # get router info bgp neighbors
% No neighbor exist

When implementing the neighbor-group and neighbor-range, it is important to make sure one of the BGP peers is active to initiate the connection.

Removing the neighbor-group and range in Fortinet2 and configuring Fortinet1 as a neighbor will result in establishing BGP neighborship.

Fortinet2 (bgp) # show
    config router bgp
        set as 64512
            config neighbor
                edit "192.168.2.1"
                    set soft-reconfiguration enable
                    set remote-as 64512
                    set route-reflector-client enable
                next
            end
            config network
                edit 1
                    set prefix 10.10.20.0 255.255.255.0
            next
        end
    end

Fortinet2 # get router info bgp summary <----- Shows the BGP status of the router and all its neighbors, including: the AS, packet counters, and the length of time the neighbor has been up.

VRF 0 BGP router identifier 10.10.20.1, local AS number 64512
BGP table version is 2
1 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.2.1 4 64512 4 4 1 0 0 00:01:10 1

Total number of neighbors 1

Fortinet2 #

Fortinet2 # get router info bgp neighbors <----- Shows details of the neighbors, including: Peer IP address, router ID, remote AS, BGP state, and the negotiated capabilities.
VRF 0 neighbor table:
BGP neighbor is 192.168.2.1, remote AS 64512, local AS 64512, internal link
BGP version 4, remote router ID 10.10.50.1
BGP state = Established, up for 00:01:18
Last read 00:00:27, hold time is 180, keepalive interval is 60 seconds
Configured hold time is 180, keepalive interval is 60 seconds