Troubleshooting Tip: BGP Peering Failures with 'Expected if xx from peer group but received from yy' Error

When establishing a BGP peering connection over the tunnel, it is failing to come online.

The IP addresses 169.254.116.1 and 169.254.116.2 have been assigned to the tunnel interfaces on both FG1 and FG2.

When packet sniffing is enabled on the FortiGate, there is bidirectional traffic:

169.254.116.1<FG1>---TEST-----<FG2>169.254.116.2

Run the sniffer with the command below:

FG2# diagnose sniffer packet any 'host 169.254.116.1 and host 169.254.116.2 and tcp port 179' 4 0 l 

023-09-20 10:45:58.781621 Test in 169.254.116.1.13989 -> 169.254.116.2.179: syn 1626232121
2023-09-20 10:45:58.781645 Test out 169.254.116.2.179 -> 169.254.116.1.13989: syn 3828700932 ack 1626232122
2023-09-20 10:45:58.807656 Test in 169.254.116.1.13989 -> 169.254.116.2.179: ack 3828700933
2023-09-20 10:45:58.807770 Test out 169.254.116.2.179 -> 169.254.116.1.13989: fin 3828700933 ack 1626232122
2023-09-20 10:45:58.807939 Test in 169.254.116.1.13989 -> 169.254.116.2.179: psh 1626232122 ack 3828700933
2023-09-20 10:45:58.807948 Test out 169.254.116.2.179 -> 169.254.116.1.13989: rst 3828700933
2023-09-20 10:45:58.846569 Test in 169.254.116.1.13989 -> 169.254.116.2.179: ack 3828700934
2023-09-20 10:45:58.846579 Test out 169.254.116.2.179 -> 169.254.116.1.13989: rst 3828700934

      Ctrl+C to stop debugging.

In the BGP debugs, error '169.254.116.1 expected if 11 from peer group but received from 47' is noticed:

Enable BGP debugging with the commands below. 

FG2# diagnose debug reset
FG2# diagnose ip router bgp all enable
FG2# diagnose ip router bgp level info
FG2# diagnose debug enable

BGP: [NETWORK] Accept Thread: Incoming conn 169.254.116.1 expected iif 11 from peer group but received from 47
BGP: [RIB] Scanning BGP Network Routes...
BGP: bgp_ipc_server_accept:508 create ipc_handler=0x7f1095283400 for sock=26
BGP: bgp_ih_on_read:434 request type=4 len=24 vfid=0 start=0 count=4294967295 flags=0x1
BGP: bgp_ih_on_read:485 response type=4 len=300 vfid=0 start=0 count=3 flags=0x1 total=3 ret=308
BGP: bgp_ih_on_close:8 delete ipc_handler=0x7f1095283400 for sock=26
BGP: bgp_ipc_server_accept:508 create ipc_handler=0x7f1095283400 for sock=26
BGP: bgp_ih_on_read:434 request type=5 len=24 vfid=0 start=0 count=0 flags=0x1
BGP: bgp_ih_on_read:485 response type=5 len=68 vfid=0 start=0 count=1 flags=0x1 total=1 ret=76
BGP: bgp_ih_on_close:8 delete ipc_handler=0x7f1095283400 for sock=26
BGP: [NETWORK] Accept Thread: Incoming conn from host 169.254.116.1 (FD=26 VRF=0)
BGP: [NETWORK] Accept Thread: Incoming conn 169.254.116.1 expected iif 11 from peer group but received from 47
BGP: [RIB] Scanning BGP RIB...

      Stop debugging by applying the commands below :

FG2# diagnose debug disable 

FG2# diagnose debug reset

After reviewing the configuration, the incorrect interface was specified within the BGP configuration.

This error message indicates that packets were received on the 'Test' interface (index=47) instead of the expected 'port5' (index=11) as defined in our configuration.

config router bgp
    set as 65400
    set router-id 169.254.116.2
    set keepalive-timer 10
    set holdtime-timer 30
    set scan-time 30
remote-as 65004
    next
        edit "169.254.116.1"
            set capability-default-originate enable
            set interface "port5" <----- Index=11.
            set remote-as 65555
        next
end

di ip add list will show index for interfaces:

Mainfirewall # diagnose ip address list
IP=10.9.10.83->10.9.10.83/255.255.240.0 index=11 devname=port5
IP=1169.254.116.2->169.254.116.2/255.255.255.0 index=47 devname=Test

Once the below config is removed, BGP neighborship is up across the tunnel:

next
    edit "169.254.116.1"
        set capability-default-originate enable
        set interface "port5" <----- After removing config neighborship will come up.
        set remote-as 65555
    next
end