ADVPN hub-and-spoke

Forum|Forum|10 months ago
August 2, 2025
2 replies
715 views

I configured three firewalls, with the HUB using a dial-up. One SPOKE can communicate normally with the HUB. However, after adding another SPOKE, although the IPSEC VPN tunnel was successfully established, the HUB's tunnel IP cannot be pinged. Could you please help identify what the issue might be? Thanks

syordanov

Staff

Dear 52000cc,

When the second spoke is connect, are you able do an ICMP between both spokes? From second spoke, can you ping the HUB?

IP addresses on the spokes VPN tunnel interface are assigned manually or with mode-config, range?
Please check the KB bellow :

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/820072/advpn-with-bgp-as-the-routing-protocol

Make sure the following:
- Route-reflector-client is enabled only on the HUB;
- Advertise connected network is disabled under BGP routing protocol for this ADVPN ;
- Run a sniffer on the HUB and affected spoke like : diagnose sniffer packet any " host x.x.x.x and icmp" 4 , where x.x.x.x is the HUBs IP address

Best regards,
Fortinet.

52000ccAuthor

New Member

how can I setup this Advertise connected network is disabled under BGP routing protocol for this ADVPN?

VinayHM

Is the tunnel IP advertised in the IPsec?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded