Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ronmar
Staff
Staff

Created on ‎07-07-2024 10:42 PM Edited on ‎03-14-2025 07:50 AM By Moderator

Article Id 324609

Technical Tip: BGP routing issue Neighbors are down or stuck in Active status when redistribute connected is enabled

Description This article explains an issue with ADVPN with BGP as a routing protocol when redistributing connected routes is enabled.
Scope

An issue with some of the BGP neighbors will not establish or stay on the Active status when redistributing connected routes is enabled on ADVPN with BGP as the routing protocol setup.

 

Inactive_BGP.jpg

 

Network Topology:

 

Network_top.jpg

 

This issue occur because of a shortcut path created between Spoke1 and Spoke2. The tunnel IP of Spoke2 is seen as a connected route from Spoke1.

 

Parent_interface.jpg

 

Since the redistribute connected routes is enabled, Spoke1 will go to advertise the route on the BGP because of this the HUB FortiGate will see the remote IP 10.10.10.4 route being received on the Spoke1.

 

Route_All.jpg

 

This is the reason why BGP neighborship between HUB FortiGate and Spoke2 FortiGate is failing due to routing issue.
Solution
  • The first option is to disable the redistribution for the connected routes, but when redistributing routes for connected routes is needed proceed with the second solution.
  • The second option is to create a redistribute filter on the BGP configuration of the Spoke FortiGate that is advertising the route under Network -> BGP -> IPv4 Redistribute.

 

Note:

To create a filter, open an advanced routing feature under System -> Feature Visibility and enable advanced routing.

 

If the connected route is enabled there will be two options (All or Filter):

  1. Select Filter.
  2. Create a Route Map under Network -> Routing Objects:
  • Create New Rules.
  • Leave the action to Permit.
  • Enable Match IP address then create a prefix list.
  1. Create a Prefix list:
  • Create a deny rule first for the spoke tunnel IP to block.
  • Then create a permit any rule on the bottom.

 

Sample Prefix list:

 

Prefix_list.jpg

 

Select the prefix list created on the Route Map Rules 'Match IP address' and then Apply.

 

Route_Map.jpg

 

Select the Route Map created on the Redistribute Connected Route filter.

 

Note:

Create a Redistribute Connected Filter as well on the other spoke blocking the other Tunnel IP to be advertised.

 

Once All the tunnel IP addresses were blocked to be advertised via BGP, the routing table on the Hub FortiGate should look like this.

All of the tunnel IPs are being advertised on the correct peering devices.

 

Routing_Hub_Working.jpg

 

The BGP peer on all of the neighbors will now be Established:

 

BGP_Working.jpg
1704
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.