Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff

Created on ‎10-02-2024 03:16 AM Edited on ‎10-02-2024 03:17 AM By Moderator

Article Id 346418

Technical Tip: BGP route not added to routing table with IP Pool present

Description This article describes the reason why BGP routes cannot be added to the routing table if an IP Pool similar to the BGP neighbor IP address is present.
Scope FortiGate, BGP, IP Pool.
Solution

Interface:

 

config system interface    
    edit "internet"
        set ip 10.10.10.197 255.255.255.240
        set role wan
        set snmp-index 91
    next

end

 

BGP config: 

 

config router bgp

    set as 65001

    set ebgp-multipath enable

    set ibgp-multipath enable

        config neighbor

            edit "10.10.10.204"

                set soft-reconfiguration enable

                set remote-as 65001

                set update-source "internet"

            next

        end

end

 

The BGP peering comes up but the route learned via BGP fails to get added to the routing table. 

 

id=20300 msg="BGP: %BGP-5-ADJCHANGE: VRF 1 neighbor 10.10.10.204 Up "

 

Upon receiving the route, debugs from this article Technical Tip: FortiGate routing debug commands and debugs below show the following output:

 

diag ip router command show debug nsm kernel
diag ip router command show debug nsm level info
diag debug enable

 

zebos_launcher: FQDN message received
zebos_launcher: FQDN message type 0x1002, vfid 0
NSM: NSM Message Header
NSM: VR ID: 4
NSM: VRF ID: 1
NSM: Message type: IPv4 Route (31)
NSM: Message length: 88
NSM: Message ID: 0x000000f2
NSM: NSM IPv4 route add
NSM: Flags: 5
NSM: Route: 0.0.0.0/0
NSM: Type: 8

NSM: Metric: 0
NSM: Distance: 20
NSM: Nexthop: 10.10.10.204 ifindex 0 tag 0 flag 0x0
NSM: RIB update for 0.0.0.0/0
NSM: RIB[vrf0:0.0.0.0/0]: Update FIB
NSM: netlink_talk: netlink-cmd type RTM_DELROUTE(25), seq=3116
NSM: netlink_parse_info2: netlink-cmd ACK: type=RTM_DELROUTE(25), seq=3116, pid=0
NSM: netlink_talk: netlink-cmd type RTM_DELROUTE(25), seq=3117
NSM: netlink_parse_info2: netlink-cmd ACK: type=RTM_DELROUTE(25), seq=3117, pid=0

 

As it can be seen, for the default route advertised from neighbor 10.10.10.204, an RTM DELROUTE is showing in the NSM debugs. 

 

It is important to check here if there is an IP Pool in the config with an IP address similar to the BGP neighbor IP/next hop address for the route received. 

 

config firewall ippool
    edit "NEW-Pool"
        set type one-to-one
        set startip 10.10.10.204
        set endip 10.10.10.204
    next
end

 

In this case, since there was an IP Pool configured, the route failed to be added to the routing table. 

 

The address configured under the IP Pool will be added to the kernel.
In the above case, 10.10.10.204 will be considered as a local address.

Any routes received with the gateway or next hop as 10.10.10.204 will fail and not be added into the kernel.

 

To fix this, the following can be done: 

  • Remove the IP Pool.
  • Disable the arp-reply on the IP Pool. 
645
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.