Description
This article describes how to configure and troubleshoot password authentication. One of the common issues is that external BGP sessions are not established and are stuck in an ACTIVE state.
Symptoms.
BGP is configured with the correct AS and neighbor address but not forming neighbor-ship.
Solution
All BGP protocol exchanges can be authenticated to guarantee that only trusted routing devices participate in autonomous system (AS) routing updates.
By default, authentication is disabled.
Use the following commands to enable BGP MD5 authentication.
conf neighbor
FGT(neighbor) edit 10.5.23.228
FGT(10.5.23.228) set password <Type_Passw0rd>
Troubleshooting.
If there is no password/mismatch password configured on the peer, on both sides a SYN is exchanged but there is no SYN-ACK in response.
From the BGP debug, the FSM (finite state machine) shows its state stuck in Connect/Active.
diag ip router bgp all enable
diag ip router bgp level info
diag debug console timestamp enable
diag debug enable
--Sample debug--
BGP: 10.5.23.228-Outgoing [FSM] State: Active Event: 9
BGP: 10.5.23.228-Outgoing [FSM] State: Connect Event: 9
---
get router info bgp summary
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.5.23.228 4 100 1924 1926 0 0 0 never Active >>>
From the packet capture it can be observed that the peer is configured with a password. If password is configured it will be included in the TCP-option field (TCP option 19).
Once identified, configure the password and check the status.
Note:
In scenarios where a FortiGate is in-between two eBGP peers that use MD5 authentication, the FortiGate does not strip-off the TCP option 19 fields.
