Skip to main content
blackout
blackout
Explorer
October 29, 2025
Solved

Redistributing OSFP routes into BGP

  • October 29, 2025
  • 2 replies
  • 1272 views

Hey all

Using a 'hybrid' network model with Fortigate 80F and a Cisco catalyst 9200L
Forti handles the routing and is relayed to Cisco.

Im trying to relay OSPF routes learnt by Fortigate into iBGP handled by our ISP, however its not working.
i can see in Forti that the routes are connected locally but not propagated into BGP

I get routes from BGP so i can confirm that its working atleast one way, but not the other.

Im trying to propagate 10.0.1.1 10.0.2.1 10.0.3.1 all /25 to BGP for advertised routing

get router info bgp summary  VRF 0 BGP router identifier 172.16.0.10, local AS number 65500 BGP table version is 6 8 BGP AS-PATH entries 0 BGP community entries  Neighbor   V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd 172.16.0.9 4      65535     473     449        5    0    0 03:14:03      130  Total number of neighbors 1   corenet0-a #

 

get router info bgp summary  VRF 0 BGP router identifier 172.16.0.10, local AS number 65500 BGP table version is 6 8 BGP AS-PATH entries 0 BGP community entries  Neighbor   V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd 172.16.0.9 4      65535     473     449        5    0    0 03:14:03      130  Total number of neighbors 1   corenet0-a # get router info bgp neighbors VRF 0 neighbor table: BGP neighbor is 172.16.0.9, remote AS 65535, local AS 65500, external link   BGP version 4, remote router REDACTED   BGP state = Established, up for 03:14:32   Last read 00:00:17, hold time is 90, keepalive interval is 30 seconds   Configured hold time is 180, keepalive interval is 60 seconds   Neighbor capabilities:     Route refresh: advertised and received (old and new)     Address family IPv4 Unicast: advertised and received     Address family VPNv4 Unicast: advertised     Address family IPv6 Unicast: advertised     Address family VPNv6 Unicast: advertised     Address family L2VPN EVPN: advertised   Received 474 messages, 0 notifications, 0 in queue   Sent 450 messages, 0 notifications, 0 in queue   Route refresh request: received 0, sent 0   NLRI treated as withdraw: 0   Minimum time between advertisement runs is 30 seconds   Update source is VLAN22-MPLS   For address family: IPv4 Unicast   BGP table version 6, neighbor version 5   Index 1, Offset 0, Mask 0x2   NEXT_HOP is always this router   Community attribute sent to this neighbor (both)   Outbound path policy configured   Route map for outgoing advertisements is *RM_OSPF_TO_BGProot   130 accepted prefixes, 130 prefixes in rib   6 announced prefixes   For address family: VPNv4 Unicast   BGP table version 1, neighbor version 1   Index 1, Offset 0, Mask 0x2   Community attribute sent to this neighbor (both)   0 accepted prefixes, 0 prefixes in rib   0 announced prefixes   For address family: IPv6 Unicast

 

get router info bgp neighbors 172.16.0.9 advertised-routes  VRF 0 BGP table version is 6, local router ID is 172.16.0.10 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete     Network          Next Hop            Metric     LocPrf Weight RouteTag Path *> 10.0.0.0/30      172.16.0.10                        32768        0 ? <-/-> *> 10.0.1.0/25      172.16.0.10                        32768        0 ? <-/-> *> 10.0.2.0/25      172.16.0.10                        32768        0 ? <-/-> *> 10.0.3.0/25      172.16.0.10                        32768        0 ? <-/-> *> 10.0.4.0/25      172.16.0.10                        32768        0 ? <-/-> *> 172.16.0.8/29    172.16.0.10                        32768        0 ? <-/->  Total number of prefixes 6

 

get router info ospf route  OSPF process 0: Codes: C - connected, D - Discard, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2  C  10.0.0.0/30 [1] is directly connected, vlan9-control, Area 0.0.0.0 C  10.0.1.0/25 [1] is directly connected, VLAN11-Users, Area 0.0.0.0 C  10.0.2.0/25 [1] is directly connected, VLAN12-aux, Area 0.0.0.0 C  10.0.3.0/25 [1] is directly connected, VLAN13-Core, Area 0.0.0.0 C  10.0.4.0/25 [1] is directly connected, VLAN14-dmz, Area 0.0.0.0


 

Best answer by funkylicious

hi,

most likely the reason that 10.0.8.0/25 network isnt installing in RIB is due to the fact that in the AS Path you have the AS 65500 ( which is also your local BGP AS if im not mistaken ) found and by default it's denied.

 

under, config router bgp you should do set allowas-in-enable enable and see afterwards if it gets installed, otherwise you can use the default route to reach it ( you should activate/use that setting with care, it can create a loop in your network ).

2 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
October 29, 2025

First, between the FGT and Cisco, it's eBGP since AS numbers are different. Not sure what is not working. If it's locally connected route, you don't have to get them restributed between OSPF and BGP. They can get them redistributed from either RIB or directly from connected routes.
If OSPF or BGP is learning routes from outside over the routing protocol, you might want/need to redistribute/relay between them.

Toshi

    ElwinBERRAR
    ElwinBERRAR
    Explorer III
    October 29, 2025

    Hi From what I see, the FortiGate is already advertising the /25 routes since they show up under advertised routes. So it’s likely just a filtering issue on the provider side or something in the outbound route map.

      blackout
      blackoutAuthor
      Explorer
      October 30, 2025

      Thanks! Defining the routes i needed to propagate in the outbound route map fixed the issue.

      i see them showing up on my distant end device now.

      get router info bgp neighbors 172.16.0.1 received-routes
      VRF 0 BGP table version is 4, local router ID is 172.16.0.2
      Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
      Origin codes: i - IGP, e - EGP, ? - incomplete

      Network Next Hop Metric LocPrf Weight RouteTag Path
      *> 0.0.0.0/0 172.16.0.1 0 0 65400 3292 65108 44398 65168 ? <-/->
      *> 10.0.0.0/25 172.16.0.1 0 0 65400 3292 65535 i <-/->
      *> 10.0.1.0/25 172.16.0.1 0 0 65400 3292 65535 65500 ? <-/->
      *> 10.0.2.0/25 172.16.0.1 0 0 65400 3292 65535 65500 ? <-/->
      *> 10.0.3.0/25 172.16.0.1 0 0 65400 3292 65535 65500 ? <-/->

      Follow-up question: i'd expect them show up in the GUI Routing > BGP Paths, but they dont.
      Any idea why, and should i be scared that they show up as incomplete? <?> tag

        ElwinBERRAR
        ElwinBERRAR
        Explorer III
        October 30, 2025

        Great to hear that it worked!

        Regarding the GUI view, FortiGate doesn’t always display redistributed prefixes under BGP Paths, especially if they were learned dynamically or the table hasn’t refreshed yet. 

        The ? origin code simply means the routes were redistributed from another source, like OSPF or connected networks, so there’s nothing to worry about.

        Terms & ConditionsAccessibility statement