|Description||This article describes how to troubleshoot BGP neighborship failing in one scenario.|
In this scenario, there are two FortiGates trying to establish BGP with their loop back IP address.
(loop back)FGT1---------FGT2(loop back)
But there are not able to establish BGP connection.
The main requirements of establishing BGP neighborship with loop back IP address are:
1) There must be a firewall policy between the port which listens on incoming BGP connection and loop back port.
2) When BGP connection is coming from the one peer it should come from the IP address from which other peer is expecting.
3) By default EBGP neighbor ship can be established only if the other peer is next hop, here in this scenario since the EBGP is establishing with loop back IP address it will not be next hop.
It is necessary to change the default behavior.
Loop back IP (FGT1)port1------------port1(FGT2)Loopback
BGP connection from one peer will initate to other peer on port 179, on the other peer, it is necessary to define a firewall policy between port1 and loop back IP address, so that traffic can reach the loop back interface.
In the same way, it is necessary to define a firewal policy betweem port1 and loop back interface on FGT1 as well.
Lets consider in FGT1, '188.8.131.52(neighbors loop back ip address)' has been defined as the neighbor and in FGT2 '184.108.40.206(FGT1 loop back IP)' has been defined as neighbor.
In this scenario, FGT1 will expect connection from FGT2 from '220.127.116.11' source IP, at the same time FGT2 will expect connection from FGT1 from '18.104.22.168' source IP.
When configuring neighbor, it is necessary to define the source IP, as shown in below screenshot:
Defining this setting BGP connection will actually initiate from this source IP address.
BGP neighborship will only be established if the neighbor is next hop.
To change this default behavior, it is necessary to enable multi hop option.
It is possible to execute the below commands for the same:
# config router bgp
# config neighbor
edit 22.214.171.124 <-----126.96.36.199 is neighbor IP.
set ebgp-enforce-multihop enable
set ebgp-multihop-ttl 5 <----- 5 means number of hops connection should pass to reach the other hop.
Define this setting in both neighbors if the peer is not next hop.