Skip to main content
greenieofdubbo
greenieofdubbo
New Member
April 12, 2012
Question

BGP Asymmetric Routing

  • April 12, 2012
  • 3 replies
  • 5330 views
Good Morning I' m having a routing issue Setup: 2x FortiGate 300C' s in a Active-Passive cluster. v4.0,build0521,120313. 2 ISP' s lets call them ISP-A and ISP-B (Backup). Were advertising a /24 to both ISP' s. Were also prepending our AS 3 times on ISP-B to influence the inbound traffic. Issue: When both ISP' s are enabled, we are unable to access some networks. The default route is ISP-A and every looking glass i check indicates ISP-A is the return path. I believe some traffic may be returning via ISP-B and being dropped by the Fortigate. Each ISP' s works fine independently. Asymmetric routing is turned on. Any ideas? Thanks Matthew

    3 replies

    ddskier
    ddskier
    New Member
    April 12, 2012
    I' ve seen this happen because some ISP will want to keep traffic on their network if the source and destination are all on their network. So one of your ISPs may be ignoring your BGP because of that. Try a few traceroutes to see how things are flowing. Then I would call you ISP and see if they have any BGP community settings that you can implement to override that behavior.
    emnoc
    emnoc
    New Member
    April 19, 2012
    Pre-pending can only maybe " influence" path return. It' s not a guaranteed win-all. So keep that in mind. Also, you have no control on what any AS is doing with path routing. I.e ( do they use or effect locl_pref , or addition of communities and locl_pref ) No back to your problem, if you have asymmetrical routing enable and dropping packets due to return thru some other interface, than you have some other problem(s). Does your provide have any loose or strict RPF checks in place?
    greenieofdubbo
    greenieofdubboAuthor
    New Member
    June 22, 2012
    We' ve made some progress on the below We had another router (FGT 60C) between the main cluster and the 2nd ISP, it terminates the PPPoE and purely routes traffic. It didn' t have asymmetric routing turned on. Turning it on resolved around 90% of the issues, however there are still some websites we cant access. Strangely enough, I can ping some but cant load the web page :s Thanks
    Terms & ConditionsAccessibility statement