Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mahmed
Staff
Staff

Created on ‎09-19-2025 08:43 AM

Article Id 411098

Technical Tip: Wrong route-tag added to BGP routes redistributed from OSPF

Description This article describes an issue where OSPF routes redistributed into BGP using a route-map with high route-tag values (for example, greater than 2147483647) do not appear with the correct route-tag in the BGP RIB. As a result, the expected tag value may be altered or not reflected properly, potentially impacting route filtering or policy decisions that rely on these tags.
Scope FortiOS.
Solution

When redistributing OSPF routes into BGP on FortiGate, users may encounter problems where route-tags set via a route-map do not appear as expected in the BGP Routing Information Base (RIB). This can impact route selection, particularly in deployments where route-tag values  are used to distinguish and prefer routes.

 

The issue occurs when using route-tag values close to the maximum unsigned integer limit (4294967295), which leads to incorrect backend processing in route-maps.

 

A prefix, 10.123.0.0/16, learned via OSPF with route-tag 4294967295 is redistributed into BGP with an incorrect tag (for example, 4294967223). 

 

FortiGate is receiving OSPF external route with route-tag value 4294967295.

 

get router info ospf database adv-router x.x.x.x

.....

 AS External Link States
10.123.0.0 10.101.101.101 625 80010df0 72dd 0012 E2 10.123.0.0/16 4294967295
10.123.0.0 10.102.102.102 1289 80010dea 60f1 0012 E2 10.123.0.0/16 4294967295
 

By default, the OSPF route-tag is automatically redistributed into the BGP RIB. In this scenario, an inbound route-map was applied to explicitly set the tags.

 

Example: Route-map configuration

 

config router route-map

    edit "Out_BGP"
        set comments "redistribute routes into BGP using OSPF tags"
            config rule
                edit 1
                    set match-tag 4294967223
                    unset set-ip-prefsrc
                    set set-tag 4294967223
                    set set-route-tag 4294967223
                next
                edit 2
                    set match-tag 4294967295
                    unset set-ip-prefsrc
                    set set-tag 4294967295
                    set set-route-tag 4294967295
                next
end

 

Example: Redistribution configuration.

 

config router bgp

    config redistribute "ospf"

        set route-map Out_BGP

        set status enable

    end

end

 

When checking the BGP RIB, the redistributed OSPF route for 10.123.0.0/16 incorrectly shows a route-tag of 4294967223 instead of 4294967295.

 

get router info bgp network 10.123.0.0/16
VRF 0 BGP routing table entry for 10.123.0.0/16
   Local
      10.145.61.3 from 0.0.0.0 (200.1.100.1)
              Origin incomplete, distance 20, metric 20, route tag 4294967223, tag 4294967295, localpref 100, valid, sourced, best

 

Workaround:


Avoid using high values for set-tag in route-maps. Use values less than or equal to 2147483647.

 

This issue will be fixed in future versions of FortiOS (starting from 7.4.10 or higher).
191
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.