Troubleshooting Tip: FortiSASE endpoints cannot access SPA networks when leader POP BGP session is down and IPAM subnet is not advertised
Description
This article describes certain scenarios, endpoints connected to FortiSASE may be unable to access Secure Private Access (SPA) networks even though the client successfully connects to the FortiSASE service.
When IP Address Management (IPAM) is enabled in FortiSASE, the subnet assigned to endpoints is associated with the leader POP. If the leader POP loses connectivity with the HUB firewall, the subnet assigned to endpoints may not be advertised to the HUB firewall via BGP.
As a result, the HUB firewall does not have a route to the subnet used by connected endpoints, causing traffic destined for SPA networks to fail.
Scope
FortiSASE.
Solution
For example:
- Endpoints connecting to FortiSASE receive IP addresses from 100.64.0.0/20 (configured IPAM range).
- On the HUB firewall, the advertised network from SASE appears as 100.64.16.0/20.
- Endpoints within 100.64.0.0/20 are unable to access SPA resources.
get router info bgp summary
VRF 10 BGP router identifier 172.16.16.20, local AS number 65525
Neighbor V AS MsgRcvd MsgSent Up/Down State/PfxRcd
10.106.1.220 4 65525 0 0 never Connect
This indicates that the BGP session between the Singapore POP and the hub firewall is not established. Packet capture can confirm that TCP port 179 (BGP) connection attempts are not receiving a response.
diagnose sniffer packet any "port 179" 4
Using Original Sniffing Mode
interfaces=[any]
filters=[port 179]
2026-03-04 07:59:34.703131 hub1 out 10.106.1.226.8269 -> 10.106.1.225.179: syn 2325240784
2026-03-04 07:59:36.403216 hub1 out 10.106.1.226.8727 -> 10.106.1.225.179: syn 1026109587
2026-03-04 07:59:37.423130 hub1 out 10.106.1.226.8727 -> 10.106.1.225.179: syn 1026109587
This confirms that BGP connection attempts are being sent, but no response is received.
Verify the BGP session on another POP (for example, Frankfurt POP):
get router info bgp summary
VRF 10 BGP router identifier 172.16.16.21, local AS number 65525
BGP table version is 23
1 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.106.1.220 4 65525 161 160 23 0 0 02:18:10 18
Total number of neighbors 1
get router info bgp neighbors 10.106.1.225 advertised-route
VRF 10 BGP table version is 23, local router ID is 172.16.16.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*>i100.64.16.0/20 10.106.1.227 100 32768 0 i <-/->
*>i172.16.16.21/32 10.106.1.227 100 32768 0 i <-/->
Total number of prefixes 2
This indicates that Frankfurt POP is advertising subnet 100.64.16.0/20.
When IPAM is enabled, FortiSASE assigns subnet blocks to POPs in /20 increments.
- The leader POP is assigned the first subnet (100.64.0.0/20).
- If the leader POP BGP session to the HUB firewall is down, that subnet will not be advertised.
- The next available POP may advertise the next available subnet (100.64.16.0/20).
Since endpoints continue to receive addresses from the Leader POP subnet (100.64.0.0/20), the HUB firewall has no route for that network, causing traffic toward SPA networks to fail.
To fix this issue, restore the BGP connectivity between the Leader POP and the HUB firewall.
Recommended checks:
- Verify network connectivity between the HUB firewall and the Leader POP.
- Ensure TCP port 179 is permitted between both peers.
- Verify firewall policies and routing.
- Confirm the BGP session is established successfully.
Once the BGP session with the Leader POP is restored:
- FortiSASE will advertise 100.64.0.0/20 to the HUB firewall.
- The HUB firewall will install the correct route.
- Endpoints will regain access to SPA networks.