|
By default, FortiGate enforces RFC 8212, enforce-first-as (enabled by default since FortiOS v6.2 and newer). This check rejects any BGP UPDATE where the leftmost (first) AS in the AS_PATH is not exactly equal to the configured remote-as of the sending peer.
This is a security feature to prevent certain forms of route leaks and AS_PATH spoofing, but it can break specific legitimate scenarios.
Enable BGP debugs:
diagnose ip router bgp all enable
diagnose ip router bgp level info
diagnose debug enable
To disable BGP debugs:
diagnose ip router bgp all disable
diagnose ip router bgp level none
diagnose debug reset
Note:
Starting from v7.2.0+, it is possible to collect BGP debugs for a specific neighbor by using the filter command 'diagnose ip router bgp set-filter neighbor <neighbor address>'. Follow this KB article for more details: Technical Tip: Capture BGP debugs for a specific neighbor.
The following would show up in debugs:
BGP: 10.10.10.2-Outgoing [DECODE] Update: Starting UPDATE decoding... Bytes To Read (4005), msg_size (86)
BGP: 10.10.10.2-Outgoing [DECODE] Attr ASPATH: Incorrect leftmost AS number, should be 65001
BGP: 10.10.10.2-Outgoing [FSM] State: Established Event: 28
BGP: 10.10.10.2-Outgoing [ENCODE] Msg-Hdr: Type 3
BGP: %BGP-3-NOTIFICATION: sending to 10.10.10.2 3/11 (UPDATE Message Error/Malformed AS_PATH.) 13 data-bytes [40 02 0a 02 02 00 00 4f f9 00 00 f4 73]
id=20300 logdesc="BGP neighbor status changed" msg="BGP: %BGP-5-ADJCHANGE: VRF 0 neighbor 10.10.10.2 Down BGP Notification FSM-ERR"
When performing a packet capture on Wireshark, it is possible to see this event:
For example:
Internet Protocol Version 4, Src: 10.68.15.2, Dst: 10.68.15.10
Transmission Control Protocol, Src Port: 179, Dst Port: 3520, Seq: 3746469723, Ack: 1613334526, Len: 81
Border Gateway Protocol - UPDATE Message
Marker: ffffffffffffffffffffffffffffffff
Length: 58
Type: UPDATE Message (2)
Withdrawn Routes Length: 0
Total Path Attribute Length: 27
Path attributes
Path Attribute - ORIGIN: IGP
Path Attribute - AS_PATH: 271799 <-----
Path Attribute - NEXT_HOP: 10.68.15.30
Path Attribute - MULTI_EXIT_DISC: 4
Network Layer Reachability Information (NLRI)
180.215.20.0/24
177.50.21.0/24
While the BGP router configuration for the reported neighbor is defined as:
config router bgp
set as 264002
set router-id 172.30.100.200
set recursive-next-hop enable
config neighbor
edit "10.68.15.2"
set activate6 disable
set next-hop-self enable
set route-server-client enable
set soft-reconfiguration enable
set as-override enable
set prefix-list-out "RoutePIT-OUT"
set remote-as 273412 <----
BGP debug on the FortiGate side shows the error and withdraws the received prefixes:
BGP: 10.68.15.2-Outgoing [DECODE] Msg-Hdr: type 2, length 58
BGP: 10.68.15.2-Outgoing [DECODE] Update: Starting UPDATE decoding... Bytes To Read (39), msg_size (39)
BGP: 10.68.15.2-Outgoing [DECODE] Attr ASPATH: Incorrect leftmost AS number, should be 273412
BGP: 10.68.15.2-Outgoing [DECODE] Update: NLRI Len(8)
BGP: 10.68.15.2-Outgoing [FSM] State: Established Event: 27
BGP: 10.68.15.2-Outgoing [RIB] Withdraw: Prefix 180.215.20.0/24 path_id 0
BGP: 10.68.15.2-Outgoing [RIB] Withdraw: Can't find route 180.215.20.0/24
BGP: 10.68.15.2-Outgoing [RIB] Withdraw: Prefix 177.50.21.0/24 path_id 0
BGP: 10.68.15.2-Outgoing [RIB] Withdraw: Can't find route 177.50.21.0/24
Check on the BGP peer to find out why FortiGate is receiving the 'incorrect AS number' error.
The routes received on FortiGate from the BGP peer should have the peer’s AS number as the left-most/first AS number of the AS path.
If changing this on the BGP peer is not possible, a viable workaround on FortiGate is to disable the command:
config router bgp
set enforce-first-as disable
end
When this setting is enabled, BGP does a comparison between the remote AS and several BGP peers configured locally with the first AS in the path of received routes.
Disabling this will resolve the issue.
|
