Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akristof
Staff
Staff

Created on ‎01-29-2024 05:29 AM Edited on ‎07-15-2025 01:15 AM By Community Manager

Article Id 296149

Technical Tip: BGP on Loopback with SD-WAN Health-check configuration

Description This article describes how to configure BGP on Loopback with SD-WAN to achieve correct BGP failover over the secondary tunnel in case of failure.
Scope FortiGate v7.0+.
Solution

For configuration information, visit the following KB articleTechnical Tip: ADVPN with BGP on loopback

 

BGP on Loopback is commonly used in ADVPN topology together with SD-WAN on spokes. To have a correct failover of BGP over an available tunnel, an SD-WAN health-check is used.

 

Spoke1 sample configuration:

 

config system interface
    edit "SP1_Loopback"
        set vdom "root"
        set ip 172.16.100.2 255.255.255.255
        set allowaccess ping
        set type loopback
        set role lan
        set snmp-index 16
    next
end

 

config router bgp
    set as 65500
    set router-id 10.255.255.2
    set ibgp-multipath enable
    set additional-path enable
    set recursive-next-hop enable
    set tag-resolve-mode merge
    config neighbor
        edit "172.16.100.1" <-- HUB loopback IP address
            set soft-reconfiguration enable
            set interface "SP1_Loopback"
            set remote-as 65500
            set route-map-in "set-tag"
            set update-source "SP1_Loopback"
            set additional-path both
        next

    end

end

 

This device has 2 tunnels, and both are members of SD-WAN. The tunnels do not have their IP address, and therefor,e it is necessary to specify a source IP address for health-check packets on Spoke 1 as follows:

 

config system sdwan
    set status enable
    config zone
        edit "ADVPN_Z"
        next
    end

    config members
        edit 1
            set interface "advpn"
            set zone "ADVPN_Z"
            set source 172.16.100.2
        next
        edit 2
            set interface "advpn_b"
            set zone "ADVPN_Z"
            set source 172.16.100.2
        next
    end

end

 

The server IP address used for health-check on the Spoke must be different from the Hub Loopback IP address used for the BGP neighborship. In this example, the HUB's Loopback IP address used for BGP is 172.16.100.1. For the health-check, a different remote IP address is used as the server:

 

config health-check
    edit "Hub_HC"
        set server "172.31.100.1" <-- must be different than the BGP neighbor address.
        set members 1 2
    next
end

 

The reason a different target IP address is required for the health check is a kernel route for the health-check server IP will be created over the members as follows:

 

get router info kernel | grep 172.31.100.1
tab=254 vf=0 scope=0 type=1 proto=18 prio=0 172.16.100.2/255.255.255.255/0->172.31.100.1/32 pref=0.0.0.0 gwy=20.0.0.1 dev=20(advpn)
tab=254 vf=0 scope=0 type=1 proto=18 prio=0 172.16.100.2/255.255.255.255/0->172.31.100.1/32 pref=0.0.0.0 gwy=30.0.0.1 dev=21(advpn_b)

 

These Kernel routes exist to support the health check and will not be removed even when the health check fails.

If the BGP neighbor configuration incorrectly references the same IP address as the health check, the spoke will continue to send BGP traffic over the tunnel that the peering was initially established over, even if the health check for this tunnel is failing.
8069
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.