Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alif
Staff
Staff

Created on ‎04-15-2025 05:17 AM

Article Id 387693

Troubleshooting Tip: BGP next hop not changing for an eBGP peer

Description

This article describes why an eBGP peer may not change the next hop to itself due to the BGP NEXT_HOP attribute.
Scope FortiGate.
Solution

An eBGP router always uses its own IP address as the next hop address when advertising a route. 

 

Consider the following network topology:

 

FGT60FTK2209EDLD.png

 

Router 1 advertises 10.0.1.0/24 subnet to FortiGate with the next hop of virtual IP 192.168.1.1.

 

FortiGate advertises BGP route 10.0.1.0/24 learned from Router 1 to Router 2 with a next hop IP address of 192.168.1.1. Ideally, eBGP peering advertises its own IP address as the next hop when it sends a prefix to another eBGP peer. However, this does not occur because the BGP next hop (192.168.1.6) belongs to the same subnet (192.168.1.0/29) as the eBGP neighbor (192.168.1.x). BGP next hop optimization ensures that no unnecessary intermediate ASNs are added to the BGP AS_PATH attribute, and the shortest path is preferred. FortiGate chooses to advertise the next hop address of Router1 instead of its own when advertising Router1 subnets to Router2.

 

This is explained in BGP RFC 4271 under Section 5.1.3 - NEXT_HOP.
267
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.