Description
This article describes how the 'set interface', 'set update-source', and 'set passive' BGP commands operate on a FortiGate device.
Scope
FortiGate.
Solution
Topology:
Using set interface <interface_name>:
config router bgp
set as 65412
set router-id 1.1.1.1
config neighbor
edit "172.16.2.2"
set interface "port1"
set remote-as 65412
next
end
end
When 'set interface' is configured under BGP neighbor, it forces the firewall to only establish BGP connections over the indicated interface. If this is not a loopback interface, the firewall uses only this interface to initiate its own BGP connection attempts, and refuses all BGP connections attempts from this neighbor received over different interfaces, with the message 'Incoming conn <neighbor IP> expected iif <interface index> from peer group but received from <interface index>'.
diagnose debug reset
diagnose ip router bgp all enable
diagnose ip router bgp level info
diagnose ip router bgp set-filter neighbor 172.16.2.2
diagnose debug enable
BGP: [NETWORK] Accept Thread: Incoming conn from host 172.16.2.2 (FD=32 VRF=0)
BGP: [NETWORK] Accept Thread: Incoming conn 172.16.2.2 expected iif 5 from peer group but received from 6
diagnose debug disable
diagnose debug reset
diagnose ip router bgp set-filter reset
A packet sniffer for BGP traffic shows the FortiGate only sending connection attempts over the specified port, and sending a TCP RST packet if the neighbor's connection attempt arrives over a different interface.
diagnose sniffer packet any 'port 179' 4 100
interfaces=[any]
filters=[port 179]
0.203785 port1 out 10.255.255.1.14572 -> 172.16.2.2.179: syn 2971642032
1.163906 port1 out 10.255.255.1.9502 -> 172.16.2.2.179: syn 3126263362
2.163769 port1 out 10.255.255.1.9502 -> 172.16.2.2.179: syn 3126263362
2.653932 port1 out 10.255.255.1.6961 -> 172.16.2.2.179: syn 3193337573
3.653781 port1 out 10.255.255.1.6961 -> 172.16.2.2.179: syn 3193337573
4.873889 port1 out 10.255.255.1.8332 -> 172.16.2.2.179: syn 2022864096
5.680889 port2 in 172.16.2.2.21350 -> 172.16.2.1.179: syn 3359818027
5.681050 port2 out 172.16.2.1.179 -> 172.16.2.2.21350: syn 1594128712 ack 3359818028
5.681120 port2 in 172.16.2.2.21350 -> 172.16.2.1.179: ack 1594128713
5.681167 port2 in 172.16.2.2.21350 -> 172.16.2.1.179: psh 3359818028 ack 1594128713
5.681196 port2 out 172.16.2.1.179 -> 172.16.2.2.21350: ack 3359818113
5.681263 port2 out 172.16.2.1.179 -> 172.16.2.2.21350: rst 1594128713 ack 3359818113
^C
14 packets received by filter
0 packets dropped by kernel
Note:
In the event of a ADVPN tunnel using BGP route failover, if a tunnel configured in 'set interface' is down, that BGP neighbor connection will not be established even if FortiGate receives a BGP connection attempt over a different tunnel.
Using set update-source <interface_name>:
config router bgp
set as 65412
set router-id 1.1.1.1
config neighbor
edit "172.16.2.2"
set remote-as 65412
set update-source "port1"
next
end
end
diagnose sniffer packet any 'port 179' 4
Using Original Sniffing Mode
interfaces=[any]
filters=[ port 179 ]
0.788186 port2 out 10.255.255.1.8879 -> 172.16.2.2.179: syn 2353844132
2.868132 port2 out 10.255.255.1.8879 -> 172.16.2.2.179: syn 2353844132
When 'update-source' is configured on a BGP neighbor, the device uses the configured interface's primary IP address as the source IP for initiating BGP connections. The device will still accept connection attempts to different local IP addresses if initiated by the neighbor.
Using set passive enable:
config router bgp
set as 65412
set router-id 1.1.1.1
config neighbor
edit "172.16.2.2"
set passive enable
set remote-as 65412
next
end
end
This configuration causes the BGP FSM to remain in Active state, listening for incoming BGP port 179 connections from the neighbor. The FortiGate will act as a 'passive' BGP peer and not initiate the BGP peering itself. If the BGP peering goes down for any reason, the neighborship will transition to the Active state until the remote BGP peer initiates the session.
Related Articles:
