FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mflamingos
Staff
Staff
Description
The "set capability-default-originate" command when enabled on a neighbor will enable/disable the advertising of the default route to the BGP neighbors.

Still when deleting a neighbor that includes it the feature must be disabled first otherwise it will block the injection of any "default route" coming from any remaining BGP neighbor.

When the feature is enabled on a BGP neighbor and then that same BGP neighbor is deleted from the active BGP configuration on a FortiGate unit, the feature gets stuck and then any "default route" coming from any of the still active BGP neighbors (local or from the ISP) will not be installed on the FortiGate unit "Routing-Table".

Solution
To be able to effectively disable this feature there are a number of options:
  • Adding the just removed BGP neighbor once again and then disabling the feature (set capability-default-originate disable) and then after that this neighbor can now be safely removed again.
  • Restarting the routing table via the CLI (exec router restart).
  • Removing and adding again the full BGP configuration.

----------------------------------------------------------------------------------

# get router info bgp neighbors 50.55.55.130 routes
BGP table version is 1, local router ID is 15.15.15.15
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*  0.0.0.0/0        50.55.55.130           0             0 61111 7999 i

Total number of prefixes 1

----------------------------------------------------------------------------------

# get router info bgp neighbors 10.255.25.25 routes
             BGP table version is 1, local router ID is 15.15.15.15
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*  0.0.0.0/0        10.255.25.25            0             0 62222 61111 7922 i
*> 10.0.0.0         10.255.25.25            0             0 62222 61010 ?
*> 10.201.16.0/21   10.255.20

----------------------------------------------------------------------------------

# get router info bgp network
BGP table version is 1, local router ID is 15.15.15.15
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*  0.0.0.0/0        50.225.252.130           0             0 61111 7922 i
*                   50.225.252.129           0     50      0 61111 7922 i
*                   10.255.25.25            0             0 62222 61111 7922 i
*> 10.0.0.0         10.255.25.25            0             0 62222 61010 ?

----------------------------------------------------------------------------------

# get router info bgp network 0.0.0.0
BGP routing table entry for 0.0.0.0/0
Paths: (2 available, best #2, table Default-IP-Routing-Table)
  Not advertised to any peer
  61111 7999
    50.55.55.130 from 50.55.55.130 (10.250.209.60)
      Origin IGP metric 0, localpref 100, valid, external
      Last update: Thu Mar 23 12:15:40 2017

 62222 61111 7999
    10.255.25.25 from 10.255.25.25 (12.12.12.12)
      Origin IGP metric 0, localpref 100, valid, external
      Last update: Thu Mar 23 12:06:42 2017

  Local
    0.0.0.0 from 0.0.0.0 (15.15.15.15)
      Origin IGP, localpref 100, weight 32768, valid, sourced, local, best
      Last update: Thu Mar 23 12:04:05 2017

----------------------------------------------------------------------------------

# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

B       10.0.0.0/8 [20/0] via 10.255.25.25, INSIDE-SMITH, 00:09:22
B       10.201.111.0/21 [20/0] via 10.255.25.25, INSIDE-SMITH, 00:09:22
B       10.201.222.0/21 [20/0] via 10.255.25.25, INSIDE-SMITH, 00:09:22
B       10.201.333.0/21 [20/0] via 10.255.25.25, INSIDE-SMITH, 00:09:22
B       10.255.200.8/29 [20/0] via 10.255.25.25, INSIDE-SMITH, 00:09:22

----------------------------------------------------------------------------------

Note that clearing the BGP table (exec router clear bgp) or rebooting the FortiGate unit (exec reboot) does not solve this issue.

Contributors