Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
seshuganesh
Staff
Staff

Created on ‎05-29-2022 05:06 AM Edited on ‎05-29-2022 05:07 AM By Community Manager

Article Id 213333

Troubleshooting Tip: EBGP Neighborship Failing With Loop back IP

Description This article describes how to troubleshoot BGP neighborship failing in one scenario.
Scope

All FortOS.
Solution

In this scenario, there are two FortiGates trying to establish BGP with their loop back IP address.

 

(loop back)FGT1---------FGT2(loop back)

 

But there are not able to establish BGP connection.

 

Troubleshooting:

 

The main requirements of establishing BGP neighborship with loop back IP address are:

 

1) There must be a firewall policy between the port which listens on incoming BGP connection and loop back port.

 

2) When BGP connection is coming from the one peer it should come from the IP address from which other peer is expecting.

 

3) By default EBGP neighbor ship can be established only if the other peer is next hop, here in this scenario since the EBGP is establishing with loop back IP address it will not be next hop.

 

It is necessary to change the default behavior.

 

Network Diagram:

 

Loop back IP (FGT1)port1------------port1(FGT2)Loopback

 

Case-1:

 

BGP connection from one peer will initate to other peer on port 179, on the other peer, it is necessary to define a firewall policy between port1 and loop back IP address, so that traffic can reach the loop back interface.

In the same way, it is necessary to define a firewal policy betweem port1 and loop back interface on FGT1 as well.

 

Case-2:

 

Lets consider in FGT1, '12.0.0.1(neighbors loop back ip address)' has been defined as the neighbor and in FGT2 '11.0.0.1(FGT1 loop back IP)' has been defined as neighbor.

 

In this scenario, FGT1 will expect connection from FGT2 from '12.0.0.1' source IP, at the same time FGT2 will expect connection from FGT1 from '11.0.0.1' source IP.

 

When configuring neighbor, it is necessary to define the source IP, as shown in below screenshot:

 

FGT1 screenshot:

 

seshuganesh_0-1653823028568.png

 

FGT2 screenshot:

 

seshuganesh_1-1653823080672.png

 

Defining this setting BGP connection will actually initiate from this source IP address.

 

Case-3:

 

BGP neighborship will only be established if the neighbor is next hop.

 

To change this default behavior, it is necessary to enable multi hop option.

It is possible to execute the below commands for the same:

 

# config router bgp

# config neighbor

    edit 12.0.0.1 <-----12.0.0.1 is neighbor IP.

        set ebgp-enforce-multihop enable

        set ebgp-multihop-ttl 5 <----- 5 means number of hops connection should pass to reach the other hop.

    end

 

Note.

Define this setting in both neighbors if the peer is not next hop.
1220
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.