When enabling BGP debugging on the FortiGate devices, the following log messages are observed:
2025-11-04 01:53:22 [root] BGP: %BGP-3-NOTIFICATION: received from 192.168.1.2 2/2 (OPEN Message Error/Bad Peer AS.) 4 data-bytes [fd e8 00 00]
2025-11-04 01:53:22 [root] BGP: 192.168.1.2-Outgoing [FSM] State: OpenConfirm Event: 25
2025-11-04 01:53:22 [root] BGP: 192.168.1.2-Outgoing [FSM] BGP Notification received
This indicates that the BGP OPEN message exchange failed due to a mismatch in the expected and received peer AS numbers.
The BGP 'OPEN Message Error/Bad Peer AS' occurs when the local device’s configured remote-as value does not match the AS number that the remote peer advertises in its BGP OPEN message.
In this example, the Spoke1 device is configured with an incorrect remote-as value (65002 instead of 65000), causing the session to fail:
Hub(Port4)< --- >(port4)spoke1
Hub Configuration:
Hub # show system inte
rface port4
config system interface
edit "port4"
set vdom "root"
set ip 192.168.1.1 255.255.255.0
set allowaccess ping
set type physical
set snmp-index 4
next
end
Hub # show router bgp
config router bgp
set as 65000
set router-id 1.1.1.1
set network-import-check disable
config neighbor
edit "192.168.1.2"
set soft-reconfiguration enable
set remote-as 65001
next
end
Spoke1 Configuration:
spoke1 # show system interface port4
config system interface
edit "port4"
set vdom "root"
set ip 192.168.1.2 255.255.255.0
set allowaccess ping
set type physical
set snmp-index 4
next
end
spoke1 # show router bgp
config router bgp
set as 65001
set router-id 2.2.2.2
set network-import-check disable
config neighbor
edit "192.168.1.1"
set soft-reconfiguration enable
set remote-as 65002 <----- Remote as configured incorrectly instead of 65000.
next
end
Hub # get router info bgp summary
VRF 0 BGP router identifier 1.1.1.1, local AS number 65000
BGP table version is 1
1 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.1.2 4 65001 193 237 0 0 0 never Idle
Total number of neighbors 1
BGP Debug Commands:
diagnose ip router bgp level info
diagnose ip router bgp all enable
diagnose debug console timestamp enable
diagnose debug enable
Resolution:
Ensure that each peer’s remote-as matches the local as of its neighbor:
- The Hub has set as 65000 → Spoke1 must have set remote-as 65000.
- The Spoke1 has set as 65001 → Hub must have set remote-as 65001.
Correct the Spoke1 BGP configuration:
config router bgp
config neighbor
edit "192.168.1.1"
set remote-as 65000
end
Verification:
Hub # get router info bgp summary
VRF 0 BGP router identifier 1.1.1.1, local AS number 65000
BGP table version is 1
2 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.1.2 4 65001 214 263 0 0 0 00:00:26 2
Total number of neighbors 1
|
