Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nalexiou
Staff
Staff

Created on ‎11-12-2024 08:48 AM Edited on ‎03-16-2025 01:37 PM By Moderator

Article Id 357232

Technical Tip: How to investigate BGP neighborship flap

Description This article describes how to troubleshoot BGP interruptions.
Scope FortiGate.
Solution

The packet that is sent to tear down the neighborship is the Notification packet and includes information why the action was taken.

 

In case only a flap was observed and the BGP neighborship is stable, the Router event logs can be checked via GUI under Log&Report -> System Events -> Router Events.

 

As filter LOG ID 20304 can be used:

 

KB1.PNG

 

In this example, logs indicate different reasons why the neighborship was torn down, e.g. Hold Timer Expired, Administratively shutdown.

 

When the neighborship is not stable and flaps are still occurring live troubleshooting can be performed to identify what is causing the issue.

 

To debug the BGP process:

 

diag ip router bgp all enable

diag ip router bgp level info

diag debug enable

 

To disable debugs:

 

diag ip router bgp all disable

diag ip router bgp level none

diag debug reset

 

Note:

Starting from v7.2.0+, it is possible to collect BGP debugs for a specific neighbor by using the filter command 'diag ip router bgp set-filter neighbor <neighbor address>'. Follow this KB article for more details Technical Tip: Capture BGP debugs for a specific neighbor 

 

In the debug, the notification packets can be identified and the reason is displayed:

 

BGP: %BGP-3-NOTIFICATION: received from 10.191.19.33 6/2 (Cease/Administratively Shutdown.) 0 data-bytes []

BGP: 10.191.19.33-Outgoing [FSM] State: Established Event: 25

BGP: 10.191.19.33-Outgoing [FSM] BGP Notification received

id=20300 msg="BGP: %BGP-5-ADJCHANGE: VRF 0 neighbor 10.191.19.33 Down BGP Notification FSM-ERR"

 

BGP: %BGP-3-NOTIFICATION: sending to 10.191.19.33 4/0 (Hold Timer Expired/Unspecified Error Subcode) 0 data-bytes []

id=20300 msg="BGP: %BGP-5-ADJCHANGE: VRF 0 neighbor 10.191.19.33 Down Hold Timer Expired"

id=20300 msg="BGP: %BGP-5-ADJCHANGE: VRF 0 neighbor 10.191.19.33 Down BGP Notification FSM-ERR"

 

The Notification packet can be also analyzed in packet capture in the Wireshark format:


notification.PNG

 

To capture the BGP packets, port 179 should be used as a filter: Troubleshooting Tip: Packet Capture on FortiOS GUI.

 

By collecting the BGP debug and the packet capture while the flaps are occurring, additional analysis can be performed on the packets exchanged between the peers to identify the cause of the issue. 

 

Note:

Hold Timer Expired is usually associated to packet loss or MTU issues.
1626
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.