Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
serge_FTNT
Staff
Staff

Created on ‎06-08-2017 02:07 AM Edited on ‎07-23-2025 05:22 AM By Community Manager

Article Id 194410

Technical Tip: BGP peering issues with third party routers

Description

 

This article addresses an issue where BGP peering may not be able to establish even though connectivity (PING, TCP) is OK.


Scope

 

FortiOS v5.2 and above.


Solution

 

Collect a sniffer trace on the FortiGate using:

 

diagnose sniff packet any 'host <remote peer> and tcp port 179' 4 0 l
 

The TCP 3-way handshake (Syn/Syn-Ack/Ack) will be seen but quickly followed by FIN, RST.

 

v501  out  syn 4224897778
v501  in   syn 1861781389 ack 4224897779
v501  out  ack 1861781390
v501  in   psh 1861781390 ack 4224897840
v501  out  ack 1861781456
v501  out  psh 4224897840 ack 1861781456
v501  out  fin 4224897861 ack 1861781456
v501  in   ack 4224897862
v501  in   psh 1861781456 ack 4224897862
v501  out  rst 4224897862


Collect the output of:

 

diagnose ip router bgp all enable
diagnose debug enable
 
The above debug command will collect logs against all BGP peers on this router (FortiGate). In an environment where multiple BGP are peering, if the FortiGate is running v7.2.0 and above, it is possible to collect the BGP log against the single router under troubleshooting, therefore saving time to search through unnecessary logs. Follow this KB article for more details: Technical Tip: Capture BGP debugs for a specific neighbor.
 
diagnose debug reset  <- To clear any existing settings.
diagnose ip router bgp all enable
diagnose ip router bgp level info
diagnose ip router bgp set-filter neighbor x.x.x.x   <- IP address of the peer being troubleshoot.
diagnose debug enable
 

If the output shows messages as below:

 

Outgoing [FSM] State: OpenSent Event: 22"
Outgoing [DECODE] Open Cap: Cap Code 66, Cap Len 0"
Outgoing [DECODE] Open Cap: unrecognized capability code 66 len 0"
id=20301 logdesc="Routing log" msg="BGP: [GRST] Timer Announce Defer: Check"
Outgoing [DECODE] Open Cap: Cap Code 67, Cap Len 3"
Outgoing [DECODE] Open DYN: Cap-length error 3"
Outgoing [ENCODE] Msg-Hdr: Type 3"
id=20301 logdesc="Routing log" msg="BGP: %BGP-3-NOTIFICATION
 
Then the issue is capability 66, which is deprecated (2003-03-06).

Since FortiGate's 'bpg capability-dynamic' is disabled by default, one solution is to disable BGP dynamic capability on the CISCO unit:
 
N7K(config-router-neighbor)#
router bgp 65100
    neighbor x.x.x.x
        no dynamic-capability
 
The following is the list of capabilities not supported by FortiGate, and should be disabled from the neighbor (BGP):
  • Open Cap: unrecognized capability code 70 len 0 <----- Enhanced Route Refresh Capability.
  • Open Cap: unrecognized capability code 6 len 0 <----- BGP Extended Message.
  • Open Cap: unrecognized capability code 66 len 0 <----- Deprecated (2003-03-06).
  • Open Cap: unrecognized capability code 73 len 21 <----- FQDN Capability.
  • Open Cap: unrecognized capability code 71 len 7 <----- Long-Lived Graceful Restart (LLGR) Capability.
10260
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.