Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nprakash
Staff
Staff

Created on ‎09-02-2024 12:00 AM

Article Id 338246

Technical Tip: Troubleshooting EVPN issues in FortiGate

Description

 

This article describes some of the common EVPN issues and tips to troubleshoot these issues.

 

Scope

 

FortiOS 7.4.X and above.

 

Solution

 

Issue 1: EVPN MBGP Adjacency is not established.

  • EVPN uses multiprotocol BGP and EVPN is an address-family within BGP (AFI: 25, SAFI: 70).
  • Check the reachability between VTEPs and run the packet capture on the VTEPs using the command diagnose sniffer packet any "host <x.x.x.x> and host <y.y.y.y>" 4 0 l , where <x.x.x.x> and <y.y.y.y> is the IP address of VTEPs.
  • Check the configuration for any potential misconfigurations.
  • Run the below commands to enable BGP daemon logs and share it with FortiOS TAC for further investigation:

 

get router info bgp evpn summary

diagnose ip router bgp all enable

diagnose ip router bgp level info
diagnose debug console timestamp enable
diagnose debug enable

 

Issue 2 : BUM traffic forwarding or VTEP not included in the flood list.

  •  Type-3 Inclusive Multicast Route is used to build the Ingress Replication list (Flood list) of VTEP.
  •  BUM traffic (Broadcast/Unknown Unicast/Multicast) traffic is forwarded to other VTEPs based on the IMET route.
  •  Run below commands to confirm the VTEP has received IMET route:

 

get router info bgp evpn network

get l2vpn evpn table

 

        3.png

 

   4.png

 

Issue 3: Endpoint information is not sent to other VTEPs.

 

  • Type-2 Host Advertisement Route is advertise endpoints layer 2 (mac/mac-ip) information between EVPN BGP peers.
  • Host boots up and send frames, such as ARP Broadcast. This traffic hits the VXLAN software switch , which records the source MAC in its Layer 2 table, just like normal switching operation.
  • Next the VTEP creates an entry in its EVPN Table ( Local MAC , Local IP ) and advertises this MAC and IP address to the EVPN BGP Peer using Type-2 MAC Advertisement Route.
  • VXLAN Software Switch learns the MAC address via Data Plane learning (similar behavior to a switch).Check if the host is learned locally using commands:

 

get router info bgp evpn network

get l2vpn evpn instance

diagnose netlink brctl name host <vxlan-software-switch>
diagnose debug console timestamp enable 

diagnose debug application evpnd -1  (generate traffic from the host in local VTEP)

diagnose debug disable 

  • MAC Address is Flagged as 'Active' or 'Inactive' based its FDB entry on the VXLAN Software Switch and entries with Active Flag will only be advertised to the peer.

     

     

      1.png


2.png

285
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.