Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ronmar
Staff
Staff

Created on ‎07-07-2024 10:42 PM Edited on ‎08-13-2025 03:03 AM By Community Manager

Article Id 324609

Technical Tip: ADVPN BGP routing issues where BGP Neighbors on Spoke are flapping, down or stuck in Active status when redistribute connected is enabled

Description This article explains an issue with ADVPN with BGP as a routing protocol when redistributing connected routes is enabled after a shortcut is established between Spoke locations.
Scope

An issue with some of the BGP neighbors will not establish or stay on the Active status when redistributing connected routes is enabled on ADVPN with BGP as the routing protocol setup.

 

Inactive_BGP.jpg

 

Network Topology:

 

Network_top.jpg

 

What happens when a shortcut is established between Spoke locations: 

  1. Once the shortcuts are established between Spoke1 and Spoke2, a connected route will appear in the routing table.
  2. The connected route would be for the subnet of Spoke1 on Spoke2 and vice versa.
  3. If redistributing all connected routes in BGP, a connected route for Spoke1, added via a shortcut to Spoke2, will also get redistributed to BGP.
  4. HUB then learns the connected route for Spoke2 via Spoke1, and this is where the routing issue occurs.
  5. BGP fails to establish as traffic for BGP from Hub is routed to Spoke1 instead of Spoke2.

 

Explanation with output:

This issue occurs because of a shortcut path created between Spoke1 and Spoke2. The tunnel IP of Spoke2 is seen as a connected route from Spoke1.

 

Parent_interface.jpg

 

Since the redistributed connected routes are enabled, Spoke1 will go to advertise the route on the BGP because of this the HUB FortiGate will see the remote IP 10.10.10.4 route being received on Spoke1.

 

Route_All.jpg

 

This is the reason why BGP neighborship between HUB FortiGate and Spoke2 FortiGate is failing due to a routing issue.
Solution

There are 2 options:

  1. Disable the redistribution for the connected routes, but when redistributing routes for connected routes is needed, proceed with the second solution.
  2. Create a redistribute filter on the BGP configuration of the Spoke FortiGate that is advertising the route under Network -> BGP -> IPv4 Redistribute.

 

Note:

To create a filter, open an advanced routing feature under System -> Feature Visibility and enable advanced routing.

 

If the connected route is enabled, there will be two options (All or Filter):

  1. Select Filter.
  2. Create a Route Map under Network -> Routing Objects:
  • Create New Rules.
  • Leave the action to Permit.
  • Enable Match IP address, then create a prefix list.
  1. Create a Prefix list:
  • Create a deny rule first for the spoke tunnel IP to block.
  • Then create a permit any rule on the bottom.

 

Sample Prefix list:

 

Prefix_list.jpg

 

Select the prefix list created on the Route Map Rules 'Match IP address' and then Apply.

 

Route_Map.jpg

 

Select the Route Map created on the Redistribute Connected Route filter.

 

Note:

Create a Redistribute Connected Filter as well on the other spoke blocking the other Tunnel IP to be advertised.

 

Once All the tunnel IP addresses were blocked to be advertised via BGP, the routing table on the Hub FortiGate should look like this.

All of the tunnel IPs are being advertised on the correct peering devices.

 

Routing_Hub_Working.jpg

 

The BGP peer on all of the neighbors will now be Established:

 

BGP_Working.jpg
2440
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.