• BGP does not establish between two neighbor due to no response through VPN, even though the response packet is being sent by the neighbor.
• When the IP is configured in the VPN interface, it not recommended or suggested to configure static route for the respective subnet.
• The network is already aware of the firewall through directly connection.
• If the redistribute is enabled in one the firewalls, mainly in an ADVPN or hub and spoke topology: once the neighbor is established, the respective spoke firewall will advertise the network as its own.
• Due to this, while forming a neighbor with another spoke, the response packet will go to a different spoke firewall instead of the correct spoke.
• As a result, it is not recommended to configure the static route where the routes are already aware of the firewall.
• Also, when redistribution is enabled, make sure the route map is configured .

Troubleshooting commands for BGP:

get router info bgp summary
get router info routing-table details 192.168.1.1

get router info bgp neighbor 192.168.1.1 advertised-routes
get router info bgp neighbor 192.168.1.1 received-routes
get router info bgp network 192.168.10.0

Refer to the documents below to configure a route map or prefix list to limit the advertising of the routes:

• Technical Tip: How to control BGP route advertisement with prefix-list
• Applying BGP route-map to multiple BGP neighbors - FortiGate administration guide
• Route maps - FortiGate administration guide