Problem Overview

BGP sessions may fail to establish when a FortiGate is rebooted, and routes will not be shared. This occurs because the BGP connect-timer is set to its maximum value (65535), causing the FortiGate to wait over 18 hours before attempting to establish a BGP connection.

Troubleshooting Steps:

Check BGP neighbor status.
The BGP summary shows neighbors in the 'Active' state in ADVPN spoke.

get router info bgp summary

VRF 0 BGP router identifier 4.4.4.4, local AS number 65000

BGP table version is 1

1 BGP AS-PATH entries

0 BGP community entries

Neighbor V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd

10.4.9.2 4      65000       0       0        1    0    0 00:02:07        Active

Analyze network traffic:
Running packet capture on TCP port 179 (BGP) shows no BGP traffic between devices, suggesting that FortiGate is not attempting to initiate BGP connections.

FW#  diagnose sniffer packet any '10.4.9.2 and tcp and port 179' 4 10

Configuration Review:

config router bgp
  set as 65000
    set router-id 9.9.9.9
    config neighbor
    edit "10.4.9.1"
    set remote-as 65000
    set connect-timer 65535  <-----
   next
end

Explanation:

The issue can be seen when using FortiManager's BGP provisioning templates in v7.4.6 and 7v.4.7. When creating BGP templates, an invalid default connect-timer value is initially set.

While FortiManager validates this and allows correction, the value typically defaults to 65535 seconds. This excessive delay prevents BGP connections from establishing in a reasonable timeframe.