Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hhasny
Staff
Staff

Created on ‎10-28-2024 01:17 AM

Article Id 353132

Technical Tip: Redundant route not install in the routing-table from second ISP via eBGP dynamic routing

Description This article describes why a default route or redundant route that is learned via eBGP is not installed in the FortiGate routing-table.
Scope FortiGate.
Solution

When FortiGate has two ISP BGP peering that are advertising the default route or the same route, FortiGate may not install the routes in the routing-table. This would be an expected behavior of BGP protocol to install one route only as its best route.

 

In this example, BGP peering is with 10.193.4.152 and 10.201.4.152 which both are advertising a default route and 172.21.0.0/20 subnet.

 

juara-kvm89 # get router info bgp summary

VRF 0 BGP router identifier 10.1.1.1, local AS number 65510
BGP table version is 2
3 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.193.4.152 4 65520 33 60 2 0 0 00:00:36 2
10.201.4.152 4 65530 16 21 2 0 0 00:00:33 2

 

juara-kvm89 # get router info bgp neighbors 10.193.4.152 received-routes
VRF 0 BGP table version is 2, local router ID is 10.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*> 0.0.0.0/0 10.193.4.152 0 0 65520 ? <-/->
*> 172.21.0.0/20 10.193.4.152 0 0 65520 ? <-/->

Total number of prefixes 2


juara-kvm89 # get router info bgp neighbors 10.201.4.152 received-routes
VRF 0 BGP table version is 2, local router ID is 10.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*> 0.0.0.0/0 10.201.4.152 0 0 65530 ? <-/->
*> 172.21.0.0/20 10.201.4.152 0 0 65530 ? <-/->

 

juara-kvm89 # get router info routing-table bgp
Routing table for VRF=0
B* 0.0.0.0/0 [20/0] via 10.193.4.152 (recursive is directly connected, port9), 00:03:49, [1/0]

B 172.21.0.0/20 [20/0] via 10.193.4.152 (recursive is directly connected, port9), 00:03:49, [1/0]

 

From the output of the routing-table, BGP is only installed from one peer only. To install both routes from both peers, the 'ebgp-multipath' would need to be enabled.

 

config router bgp
    set ebgp-multipath disable
end

 

Below is the updated routing-table showing both routes from both peers.

 

juara-kvm89 # get router info routing-table bgp
Routing table for VRF=0
B* 0.0.0.0/0 [20/0] via 10.201.4.152 (recursive is directly connected, port10), 00:00:46, [1/0]
[20/0] via 10.193.4.152 (recursive is directly connected, port9), 00:00:46, [1/0]
B 172.21.0.0/20 [20/0] via 10.201.4.152 (recursive is directly connected, port10), 00:00:46, [1/0]
[20/0] via 10.193.4.152 (recursive is directly connected, port9), 00:00:46, [1/0]
93
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.