Issue with BGP over IPsec

Forum|Forum|10 months ago
June 24, 2025
1 reply
822 views

Hi Community,

We are facing persistent BGP flapping over IPsec tunnels configured between our FortiGate and AWS Transit Gateways (TGWs). Our setup is as follows:

2 AWS TGWs
Each TGW provides 2 public IPs
Resulting in a total of 4 IPsec tunnels (established successfully)
BGP is configured for dynamic routing (local ASN 64520, remote ASN 64513)

Issue:
Although all 4 IPsec tunnels remain stable and up, BGP sessions reset every 40–60 seconds across all neighbors. The session uptime never exceeds 1 minute before dropping with the following message:

Notification Error Message: (CeaseUnspecified Error Subcode)

Troubleshooting Done:

Verified and matched AWS-supplied BGP configuration (hold time, keepalive, remote ASN, etc.)
IPsec tunnel selectors, Phase1/Phase2 settings are as per AWS VPN guide
Keepalive/hold timers: 3s / 10s (as required)
Disabled asymmetric routing to prevent ECMP/return path issues
Routes are being exchanged successfully during session uptime (e.g., 10.9.0.0/16)

Despite this, the BGP session resets persist consistently.

Has anyone experienced a similar issue with AWS TGWs and FortiGate? Any guidance or additional debug steps would be highly appreciated.

Xronos

New Member

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-BGP-Hold-Timer-Expired-Unspecified-Error/ta-p/253117

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded