Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff

Created on ‎03-09-2021 05:19 AM Edited on ‎10-23-2024 08:30 AM By Staff

Article Id 193687

Technical Tip: BGP recursive resolution not possible via another BGP route

Description


This article describes how recursive resolution is not possible for a BGP route via another BGP route. These routes are being learned via BGP but are not getting installed into the active routing table.

 

get router info bgp network 10.10.10.0
Paths: (2 available, no best path)
Local
10.20.1.4 (inaccessible) from 10.21.16.15 (10.21.116.20)
Local
10.20.1.4 (inaccessible) from 10.21.16.16 (10.21.116.20)

 

The underlying route for the next hop, which is 10.20.1.4, has another BGP route.

 

get router info routing-table details 10.20.1.4
Routing entry for 10.20.1.0/28
Known via "bgp", distance 200, metric 0, best
Last update 07w2d18h ago
* 10.21.116.28 (recursive via 10.21.161.21)

 

The issue faced is that the route to reach the next hop 10.20.1.4 is also a BGP route. FortiGate considers the next hop as invalid and does not install the route in the routing table.

 

get router info routing-table details 10.10.10.0
% Network not in table

 

Scope

 

FortiGate.

 

Solution


The alternatives to fix this issue are as follows:

 

  1. Add a static route to reach the next hop that overrides the BGP route.
  2. Configure the 'set next-hop-self enable' under the BGP neighbor.

 

config router bgp
    config neighbor
        edit "x.x.x.x"
            set next-hop-self enable
        next
    end
end

 

If there is already a static route present, the next-hop-self command would not take precedence over it. The next-hop-self command will set all prefixes received by the neighbor with its IP as the next hop. This might not be required, and it may only be necessary to change the next hop for the prefix 10.20.1.0/28.

 

In this case, perform the following:

 

config router prefix-list

edit "myprefix"

config rule

edit 1

set prefix 10.20.1.0 255.255.255.240

unset ge

unset le

next

end

config router route-map

edit "next-hop"

config rule

edit 1

set match-ip-address "myprefix"

set set-ip-nexthop 192.168.5.4

next

edit 2

next

end

 

config router bgp

config neighbor

edit "x.x.x.x"

set route-map-in "next-hop"

next

end

end

 

  1. When a BGP next hop requires recursive resolution, the default behavior is to consider all other routes except BGP routes. In v7.0.0, the following option has been introduced which, when enabled, allows the recursive next-hop resolution to use BGP routes as well.

 

config router bgp
    set recursive-next-hop [ enable | disable* ]
end

 

By default, this option is disabled. 

 

Note:

The 'depth' of recursive resolving is 2. The Recursive Route resolving mechanism avoids infinite resolving when a looping condition happens.
For BGP routes, 2 rounds of resolving are performed:

  • 1st round only resolves BGP routes by non-BGP routes.
  • 2nd round by all routes.

As a result, if a route for a specific BGP next-hop is already learned via a BGP route with a recursive next-hop, the prefix will not be installed in the BGP table stating: next-hop inaccessible.

 

Related document:

BGP next hop recursive resolution using other BGP routes

Labels:
15504
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.