FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 195834


This article describes how to configure and troubleshoot password authentication.
One of the common issue, where external BGP sessions not established and stuck in ACTIVE state.


BGP is configured with correct AS and neighbor address but not forming neighbor-ship.


All BGP protocol exchanges can be authenticated to guarantee that only trusted routing devices participate in autonomous system (AS) routing updates.
By default, authentication is disabled.

Use the following commands to enable BGP MD5 authentication.


conf neighbor
FGT(neighbor) edit
FGT( set password <Type_Passw0rd>             



If there is no password/miss-match password configured on the peer, on both sides a SYN is exchanged but there is no SYN-ACK in response.

From the BGP debug, the FSM (finite state machine) shows its state stuck in Connect/Active.


diag ip router bgp all enable
diag ip router bgp level info
diag debug console timestamp enable
diag debug enable

--Sample debug--
BGP: [FSM] State: Active Event: 9
BGP: [FSM] State: Connect Event: 9
get router info bgp summary
Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd     4        100    1924    1926        0              0      0              never     Active     >>>


From the packet capture it can be observed that the peer is configured with a password. If password is configured it will be included in the TCP-option field (TCP option 19).

Once identified, configure the password and check the status.

Note: In scenarios where a FortiGate is in-between two eBGP peers that use MD5 authentication, the FortiGate does not strip-off the TCP option 19 field.