FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
myky_
Staff
Staff
Article Id 371764
Description

This article describes how to avoid static route invalidation when using BFD.

 

BFD neighborship can be established on the IPsec VPN tunnel interface's IP address.

 

The requirement is to ensure that the remote IP subnet mask is set to /32.

If the subnet mask is configured with other values, the BFD neighbor will still come up, but as soon as it becomes attached to the static route, it will automatically invalidate the route (put it in an inactive state). As a result, the route will not be installed in the routing table.

 

See more details in the example below.

Scope FortiOS.
Solution

Topology:

(Tunnel INT with BFD=192.168.100.1) FWA (Peer IP=10.0.1.1) <--IPSec--> (10.0.1.2=Peer IP) FWB (192.168.100.2=Tunnel INT with BFD).


  1. The tunnel interface remote IP subnet mask is configured with /24.

 

show system interface FWB
config system interface
    edit "FWB"
        set vdom "root"
        set ip 192.168.100.1 255.255.255.255
        set allowaccess ping
        set bfd enable
        set type tunnel
        set remote-ip 192.168.100.2 255.255.255.0
        set snmp-index 15
        set interface "port3"
    next
end

 

  1. The static route has BFD enabled:

 

show router static 2
config router static
    edit 2
        set dst 192.168.40.0 255.255.255.0
        set device "FWB"
        set bfd enable
    next
end

 

  1. Status of BFD neighbor:

 

get router info bfd neighbor

OurAddress NeighAddress State Interface LDesc/RDesc
192.168.100.1 192.168.100.2 UP FWB 1/1

 

  1. Status of the static route:

 

get router info routing-table database | grep 192.168.40.0
S 192.168.40.0/24 [10/0] via FWB tunnel 10.0.1.2 inactive, [1/0]
B *> 192.168.40.0/24 [20/0] via 10.0.1.2 (recursive is directly connected, port3), 4d23h50m, [1/0]


Based on the above status, the BFD neighbor shows up, but the static route remains in an inactive state.

To resolve the issue, the tunnel interface remote IP subnet mask must be changed to /32.

 

  1. Subnet mask changed:


show system interface FWB
config system interface
    edit "FWB"
        set vdom "root"
        set ip 192.168.100.1 255.255.255.255
        set allowaccess ping
        set bfd enable
        set type tunnel
        set remote-ip 192.168.100.2 255.255.255.255
        set snmp-index 15
        set interface "port3"
    next
end

  1. The static route is now valid and installed in the routing table:

 

get router info routing-table database | grep 192.168.40.0
S *> 192.168.40.0/24 [10/0] via FWB tunnel 10.0.1.2, [1/0]
B 192.168.40.0/24 [20/0] via 10.0.1.2 (recursive is directly connected, port3), 5d00h00m, [1/0]

 

Related documents:

Technical Tip: Configuring Bidirectional Forwarding Detection (BFD) for static routes