Skip to main content
saqib366
saqib366
New Member
September 2, 2025
Question

iBGP on shortcut tunnel - ADVPN

  • September 2, 2025
  • 3 replies
  • 645 views

I have HUB and SPOKE ADVPN topology, shortcut tunnels are working fine but direct BGP peering between spoke is not established and only spoke to HUB bgp is working, i have configured neighbour groups/range at both HUB and SPOKES. kindly suggest the solution.

3 replies

GeorgeZhong
Staff & Editor
GeorgeZhong
Staff & Editor
September 3, 2025

Hi @saqib366,

 

In normal ADVPN Hub-and-Spoke setup, there shouldn't be a direct BGP peering between two spokes. Spoke only establishes the BGP peering with the Hub and learn the BGP route from there, which includes the BGP routes of other spokes. 

 

There will be a ADVPN shortcut tunnel negotiated between two spokes when one spoke sends the first packet to the other one through the Hub. This shortcut tunnel will make these two Spokes directly connected. The BGP between them is not required anyway.

 

Below document has a very brief introduction to the ADVPN setup, where we can see each spoke only establishes the BGP peering with two Hubs.

 

https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/985659/advpn-and-shortcut-paths

    saqib366
    saqib366Author
    New Member
    September 7, 2025

    I understand, but the concern is that if the HUB goes down, the shortcut tunnels stay up, however, the iBGP routes learned from the HUB are no longer received. Without this routing information, spoke-to-spoke subnets lose reachability.

     

     

    GeorgeZhong
    Staff & Editor
    GeorgeZhong
    Staff & Editor
    September 12, 2025

    @saqib366

    If we are concerning the Hub could go down, we can have secondary Hub configured as backup.

     

    This is just like the Router Reflector in the IBGP full mesh setup. We don't need to establish the IBGP peering between each routers one by one but instead using the Router reflector to achieve the full mesh. We can also have secondary Router Reflector as backup in case the primary fails. 

     

    Regards,

    George

      GeorgeZhong
      Staff & Editor
      GeorgeZhong
      Staff & Editor
      September 25, 2025

      Hi @saqib366

       

      After FortiGate 7.4.0, there is a new feature that we can have the BGP peering between spokes. This requires the Hub to have the Router reflector option disabled. Detail can be found in below document:

       

      https://docs.fortinet.com/document/fortigate/7.4.0/sd-wan-new-features/63589/active-dynamic-bgp-neighbor-triggered-by-advpn-shortcut-7-4-1

       

      Regards,

      George

        Terms & ConditionsAccessibility statement