Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rbarnes
Staff
Staff

Created on ‎09-10-2024 09:53 PM Edited on ‎07-01-2025 09:58 PM By Community Manager

Article Id 340429

Technical Tip: BGP is flapping

Description

This article provides a scenario where there is a BGP setup between 2 devices. One or both FortiGates BGP is flapping up and down.
Scope FortiGate.
Solution

A common cause of this is ISP connectivity or packet loss.

 

Step 1. Check connectivity by pinging the neighbor.

Step 2. Check the current BGP neighbor adjacency states. 

 

   get router info bgp summary

 

Step 3. Sniff the packets and check the flow and event log.

 

diagnose sniffer packet <connected port or any> “host x.x.x.x and port 179” 6 0 l <----- Where x.x.x.x is the remote neighbor address.

 

Debug flow:

 

diagnose debug flow filter dport 179
diagnose debug flow filter addr <neighbor ip>
diagnose debug flow show iprope enable
diagnose debug en
diagnose debug flow trace start

 

Note:

Starting from v7.2.0+, it is possible to collect BGP debugs for a specific neighbor by using the filter command 'diag ip router bgp set-filter neighbor <neighbor address>'. For more details, see Technical Tip: Capture BGP debugs for a specific neighbor

 

Check the event log to see if the port is going up and going down.

 

If the issue is not solved by verifying, connectivity is working with no loss.

 

Run BGP debug:

 

diagnose ip router bgp all enable
diagnose ip router bgp level info
diagnose debug en
diagnose debug console timestamp enable.

 

Here is an example of BGP debug showing the symptoms :

 

BGP: <neighbor ip>-Outgoing [NETWORK] FD=26, Sock Status: 110-Connection timed out
BGP: <neighbor ip>-Outgoing [FSM] State: Connect Event: 18

 

In this example, FortiGate was not receiving a reply from a neighbor to establish a BGP session, so it will try again until it receives the neighbor's BGP protocol packet.

 

MTU should also be consistent in the path. Though MTU is not a requirement for BGP neighborship to come up, when the NLRI is exchanged in the BGP update packets, it will try to send a packet as large as the MTU of the outgoing interface. In the path, if fragmentation is not allowed and a lower MTU is present in the path, these packets will get dropped. Consequently, the BGP neighborship will flap every 180 seconds or after the time configured in the hold-down timer.

 

Note:

High CPU usage can also disrupt BGP processing, as a device processing a huge amount of traffic might fail to process data on time.

 

Related articles:

Technical Tip: BGP Neighbor Adjacency States

Technical Tip: FortiOS BGP Resource List
Labels:
3103
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.