Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ezhupa
Staff
Staff

Created on ‎09-12-2025 03:57 AM Edited on ‎09-19-2025 09:52 AM By Moderator

Article Id 410597

Technical Tip: BGP Graceful Restart with neighbor groups defined with neighbor-range command not working

Description This article describes issues with the Graceful Restart feature when used with neighbor groups defined with the neighbor-range command.
Scope FortiGate, FortiOS.
Solution

In some cases, when administrators need to configure multiple BGP neighbors, to simplify the configuration, BGP neighbor groups are created and defined with the neighbor-range command.
As an example:

 

config router bgp
    set as Y.Y.Y.Y
    set router-id z.z.z.z
    set holdtime-timer 60
    set ebgp-multipath enable
    set ibgp-multipath enable
    set additional-path enable
    set graceful-restart enable
    next
end


config neighbor-group
    edit "test_1"
        set capability-graceful-restart enable
        set link-down-failover enable
        set next-hop-self enable
        set soft-reconfiguration enable
        set remote-as X.X.X.X
    next
end


config neighbor-range
    edit 1
        set prefix 192.10.10.0 255.255.255.0
        set neighbor-group "test_1"
    next
end

 

Administrators usually also want to use the Graceful Restart feature to avoid network disruptions and packet loss in cases of a failover or a reboot of the cluster.

 

How BGP graceful restart works in that scenario is explained here: Understanding Graceful restart and non-stop forwarding for BGP in FortiGate HA 

 

When using this 'neighbor-groups', during failover testing, packet loss can be seen.
Reverting the configuration to manually configured neighbors corrects the packet loss. This indicates a possible issue with Graceful Restart when using BGP neighbor groups defined with the neighbor-range command.

 

Conclusion:

Since neighbor-groups are passive and cannot trigger a re-connection, it's expected that neighbor-groups defined with neighbor-range can't perform Graceful Restart when it is the side that initiates a restart.


BGP graceful restart against dynamic BGP peers during a HA failover is not supported at this time in FortiOS.

 

To avoid packet loss using BGP neighbor-groups on SD-WAN Hubs, it is necessary to activate the route-stale option on each BGP neighborship with each Hub on every Spoke:

 

config router bgp

    config neighbor

        edit Y.Y.Y.Y

            set stale-route enable

        next

    end

 

Instead, in order to benefit fully from the Grace Restart feature, BGP configuration would need to be modified to manually configure neighbors instead of neighbor-groups defined with neighbor-range.
325
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.