Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
duenlim
Staff
Staff

Created on ‎12-02-2024 12:40 AM

Article Id 361764

Troubleshooting Tip: How to verify BFD packet on FortiGate

Description This article describes how to troubleshoots and verify the Bi-directional Forwarding Detection (BFD).
Scope FortiGate 7.0 or 7.2.
Solution
  1. The samples of Bi-directional Forwarding Detection (BFD) implemented in FortiGate's Interface Port7 with the neighbor switch as shown:

FortiGate 10.175.2.171 (Port7) <-> Switch 10.175.2.190.

Run the CLI commands get router info bfd neighbor. It can seen the BFD is established with a neighbor switch.

 

OurAddress NeighAddress State Interface LDesc/RDesc
10.175.2.171 10.175.2.190 UP port7 9/9

 

For more information on this, refer to Technical Tip : FortiGate BFD implementation and examples (Bidirectional Forwarding Detection for OS...

 

  1. The BFD session is up and down frequently. It can be seen in FortiGate router events as follows. The log shows where BFD sessions were down followed by OSPF.

     

    BFD:

    date=2024-11-07 time=08:20:21 eventtime=1730938820880874481 tz="+0800" logid="0103020304" type="event" subtype="router" level="warning" vd="V3" logdesc="Routing log warning" msg="BFD: BFD session[10.175.2.171->10.175.2.190,49159,port7,8]: state UP -> DOWN local_diag=0x01"

    date=2024-11-07 time=08:20:12 eventtime=1730938811418010346 tz="+0800" logid="0103020304" type="event" subtype="router" level="warning" vd="V3" logdesc="Routing log warning" msg="BFD: BFD session[10.175.2.171->10.175.2.190,49159,port7,8]: state DOWN -> UP local_diag=0x00"

     

    OSPF:

    date=2024-11-07 time=08:20:12 eventtime=1730938811416467227 tz="+0800" logid="0103020302" type="event" subtype="router" level="warning" vd="V3" logdesc="OSPF neighbor status changed" msg="OSPF: %OSPF-5-ADJCHANGE: neighbor port7:10.175.2.171-10.1.1.1 Up "

    date=2024-11-07 time=08:19:45 eventtime=1730938785159485105 tz="+0800" logid="0103020302" type="event" subtype="router" level="warning" vd="V3" logdesc="OSPF neighbor status changed" msg="OSPF: %OSPF-5-ADJCHANGE: neighbor port7:10.175.2.171-10.1.1.1 Down "

     

    BFD:

    date=2024-11-07 time=08:19:45 eventtime=1730938785159141511 tz="+0800" logid="0103020304" type="event" subtype="router" level="warning" vd="V3" logdesc="Routing log warning" msg="BFD: BFD session[10.175.2.171->10.175.2.190,49158,port7,7]: state UP -> DOWN local_diag=0x01"

    date=2024-11-07 time=08:19:38 eventtime=1730938779204044454 tz="+0800" logid="0103020304" type="event" subtype="router" level="warning" vd="V3" logdesc="Routing log warning" msg="BFD: BFD session[10.175.2.171->10.175.2.190,49158,port7,7]: state DOWN -> UP local_diag=0x00"

     

    OSPF:

    date=2024-11-07 time=08:19:38 eventtime=1730938779202869153 tz="+0800" logid="0103020302" type="event" subtype="router" level="warning" vd="V3" logdesc="OSPF neighbor status changed" msg="OSPF: %OSPF-5-ADJCHANGE: neighbor port7:10.175.2.171-10.1.1.1 Up "

    date=2024-11-07 time=08:19:05 eventtime=1730938745241543944 tz="+0800" logid="0103020302" type="event" subtype="router" level="warning" vd="V3" logdesc="OSPF neighbor status changed" msg="OSPF: %OSPF-5-ADJCHANGE: neighbor port7:10.175.2.171-10.1.1.1 Down "

     

     

  2. Collected packet capture from Cli commands diagnose sniffer packet any "udp port 3784" 6 0 l.

The Wireshark packet analyzer shows FortiGate 10.175.2.171 has sent out four BFD sessions (packet numbers 409,410,412 and 414) to neighbor switch 10.175.2.190. The neighbor switch did not send out BFD packet. Hence, FortiGate brought down the BFD in packet 414 based on the Detection Time.


Furthermore, it can be seen that each time FortiGate brought down the BFD (highlighted in black) it was because no BFD session was sent out from the neighbor switch 10.175.2.190.


BFD_Packets_Intermittent.png

 

 

Tip: The time of packet capture can be correlated with FortiGate router events.

 

  1. The working BFD packets are shown in the picture.
                                              

    BFD_Packets_Normal.png

     

     

  2. To overcome such an issue.

    1. Make sure the neighbor switch has set the right Transmit Interval & Detection Time Value.

    2. Run concurrent packet capture to confirm the BFD packet arrives at the neighbor switch as the packet could be dropped in the middle device.

    3. To check with the product technical support.

       

       

For more information on this, refer to Technical Tip: How FortiGate calculates BFD timers (Transmit Interval, Detection Time).
1766
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.