Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ckumar_FTNT
Staff
Staff

Created on ‎10-06-2020 10:14 AM Edited on ‎09-30-2025 12:02 AM By Moderator

Article Id 195834

Technical Tip: How to configure and troubleshoot BGP MD5 password authentication

Description


This article describes how to configure and troubleshoot password authentication. One of the common issues is that external BGP sessions are not established and are stuck in an ACTIVE state.

Symptoms.

BGP is configured with the correct AS and neighbor address, but is not forming a neighbor-ship.

Solution


All BGP protocol exchanges can be authenticated to guarantee that only trusted routing devices participate in autonomous system (AS) routing updates.
By default, authentication is disabled.

Use the following commands to enable BGP MD5 authentication.

 

conf neighbor
FGT(neighbor) edit 10.5.23.228
FGT(10.5.23.228) set password <Type_Passw0rd>         

 

Troubleshooting.

If there is no password/mismatch password configured on the peer, on both sides, a SYN is exchanged, but there is no SYN-ACK in response.

From the BGP debug, the FSM (finite state machine) shows its state stuck in Connect/Active.

 

diagnose ip router bgp all enable
diagnose ip router bgp level info
diagnose debug console timestamp enable
diagnose debug enable

--Sample debug--
BGP: 10.5.23.228-Outgoing [FSM] State: Active Event: 9
BGP: 10.5.23.228-Outgoing [FSM] State: Connect Event: 9
---
get router info bgp summary
Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.5.23.228     4        100    1924    1926        0              0      0              never     Active     >>>

 

From the packet capture, it can be observed that the peer is configured with a password. If a password is configured, it will be included in the TCP-option field (TCP option 19).


Once identified, configure the password and check the status.

 

After the TCP handshake, every segment (ACK, BGP OPEN, KEEPALIVE, UPDATE, etc.) will also carry the MD5 option. 

 

If the password is changed on only one side:

  • Subsequent TCP segments from the modified side will carry a digest that does not match the peer’s expectation.

  • The peer discards the packets, causing TCP retransmissions and eventually a session reset.

  • The BGP session will go down almost immediately.


Note:

In scenarios where a FortiGate is in between two eBGP peers that use MD5 authentication, the FortiGate does not strip off the TCP option 19 fields.

Labels:
14724
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.