Technical Tip: Understanding BGP Neighbor Establishment

shahrukh_khan · ‎08-26-2025

Description

This article describes Understanding Neighbor Establishment and Route Exchange.

Scope

FortiGate.

Solution

BGP uses an FSM to manage the lifecycle of peer connections. Each state represents a phase in establishing and maintaining a session. Transitions occur based on events like timers, TCP connections, or message receipts.

This article examines an example BGP debug output from a FortiGate device. The logs capture the process of BGP neighbor establishment, message encoding/decoding, and route announcements, as well as break down the key events, incorporate relevant debug snippets, and explain each BGP FSM state to provide a comprehensive understanding.

BGP debug CLI:

diagnose debug reset

diagnose ip router bgp level info
diagnose ip router bgp all enable

diagnose debug console timestamp enable

diagnose debug enable

To disable:

diagnose debug disable

diagnose debug reset

The debug process will share the neighbor establishment reports that can conclude scopes like bad peer AS, hold Timer expired, connection collision etc. Some examples of events and stats are shared below.

Initial Route Scanning and Link Up Events:

The logs begin with BGP scanning its Routing Information Base (RIB) and network routes in VRF 0. This is a periodic task to ensure route consistency.

2025-08-23 22:11:55 [root] BGP: [RIB] Scanning BGP Network Routes for VRF 0...

2025-08-23 22:11:55 [root] BGP: [RIB] Scanning BGP RIB for VRF 0...

Shortly after, a 'Link Up' NSM (Network Service Module) message is logged for interface A/F1-Pr_IB, indicating a physical or logical link becoming active, which could trigger BGP sessions.

2025-08-23 22:12:05 [root] BGP: NSM Message Header

2025-08-23 22:12:05 [root] BGP: VR ID: 1

2025-08-23 22:12:05 [root] BGP: VRF ID: 0

2025-08-23 22:12:05 [root] BGP: Message type: Link Up (29)

...

2025-08-23 22:12:05 [root] BGP: NSM Interface

2025-08-23 22:12:05 [root] BGP: Interface index: 41

2025-08-23 22:12:05 [root] BGP: Name: A/F1-Pr_IB

Detailed FSM Transition for Neighbor 101.101.101.3.

Connect State: BGP initiates a TCP connection.

2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [FSM] State: Connect Event: 9

2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [NETWORK] FD=28, Sock Status: 0-Success

2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [FSM] State: Connect Event: 17

Event 9 likely triggers the connect attempt, and success (Event 17) moves it forward.

OpenSent State: OPEN message is encoded and sent, including capabilities like multiprotocol extensions (Cap Code 1), route refresh (Cap Codes 128/2), 4-byte AS (Cap Code 65), and graceful restart (Cap Code 64).

2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [ENCODE] Msg-Hdr: Type 1

2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [ENCODE] Open: Ver 4 MyAS 65001 Holdtime 180

2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [ENCODE] Open: Msg-Size 95

...

2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [DECODE] Msg-Hdr: type 1, length 95

2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [DECODE] Open: Optional param len 66

... (multiple capability decodes)
2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 6
2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [DECODE] Open Cap: Cap Code 1, Cap Len 4
2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 6
2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [DECODE] Open Cap: Cap Code 1, Cap Len 4
2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 6
2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [DECODE] Open Cap: Cap Code 1, Cap Len 4
2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 6
2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [DECODE] Open Cap: Cap Code 1, Cap Len 4
2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 6
2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [DECODE] Open Cap: Cap Code 1, Cap Len 4
2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 2
2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [DECODE] Open Cap: Cap Code 128, Cap Len 0
2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [DECODE] Open Cap: RR Cap(old) for all address-families
2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 2
2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [DECODE] Open Cap: Cap Code 2, Cap Len 0
2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [DECODE] Open Cap: RR Cap(new) for all address-families
2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 6
2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [DECODE] Open Cap: Cap Code 65, Cap Len 4
2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 8
2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [DECODE] Open Cap: Cap Code 64, Cap Len 6
...

2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [FSM] State: OpenSent Event: 19

Event 19 indicates the peer's OPEN was received and validated.

OpenConfirm State: KEEPALIVE is sent and received to confirm.

2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [ENCODE] Msg-Hdr: Type 4

2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [ENCODE] Keepalive: 411 KAlive msg(s) sent

2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [DECODE] Msg-Hdr: type 4, length 19

2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [DECODE] KAlive: Received!

2025-08-23 22:12:57 [root] BGP: 101.101.101.3-Outgoing [FSM] State: OpenConfirm Event: 26

Event 26 (KEEPALIVE received) transitions to Established.

Established State: Adjacency is up, and routes are exchanged via UPDATE messages.

2025-08-23 22:12:57 id=20300 msg="BGP: %BGP-5-ADJCHANGE: VRF 0 neighbor 101.101.101.3 Up "

...

2025-08-23 22:13:21 [root] BGP: 101.101.101.3-Outgoing [DECODE] Msg-Hdr: type 2, length 60

2025-08-23 22:13:21 [root] BGP: 101.101.101.3-Outgoing [DECODE] Update: Starting UPDATE decoding... Bytes To Read (41), msg_size (41)

2025-08-23 22:13:21 [root] BGP: 101.101.101.3-Outgoing [DECODE] Update: NLRI Len(16)

2025-08-23 22:13:21 [root] BGP: 101.101.101.3-Outgoing [FSM] State: Established Event: 27

2025-08-23 22:13:21 [root] BGP: 101.101.101.3-Outgoing [RIB] Update: Received Prefix 31.31.31.0/24 path_id 0

... (similar for 34.34.34.0/24, 33.33.33.0/24, 32.32.32.0/24)

2025-08-23 22:13:21 [root] BGP: 101.101.101.3-Outgoing [DECODE] Msg-Hdr: type 2, length 23

2025-08-23 22:13:21 [root] BGP: 101.101.101.3-Outgoing [FSM] Update: IPv4 Unicast End-Of-Rib Marker Received

The peer sends prefixes (for example, 31.31.31.0/24) and an End-of-RIB (EOR) marker, signaling the end of the initial route dump. Local routes (e.g., 41.41.41.0/24) are announced back.

Later, KEEPALIVEs are exchanged to maintain the session:

2025-08-23 22:13:46 [root] BGP: 101.101.101.3-Outgoing [DECODE] Msg-Hdr: type 4, length 19

2025-08-23 22:13:46 [root] BGP: 101.101.101.3-Outgoing [DECODE] KAlive: Received!

2025-08-23 22:13:47 [root] BGP: 101.101.101.3-Outgoing [ENCODE] Msg-Hdr: Type 4

2025-08-23 22:13:47 [root] BGP: 101.101.101.3-Outgoing [ENCODE] Keepalive: 412 KAlive msg(s) sent

Technical Tip: Understanding BGP Neighbor Establishment

You are leaving our website