Help
FortiSASE
FortiSASE delivers both a consistent security posture and an optimal user experience for users working from anywhere. Secure your hybrid workforce by closing security gaps, plus simplify operations.
J_Xia
Staff
Staff

Created on ‎08-29-2024 11:08 AM

Article Id 337594

Troubleshooting Tip: FortiSASE POP to FortiGate SPA Hub BGP connection down due to router ID overlap

Description

This article describes how to resolve router ID conflicts that occur when configuring the Secure Private Access (SPA) service on FortiSASE, where the BGP Router ID for POPs is automatically generated within the range of the 'BGP Router ID Subnet.' The ID starts from the first available address x.x.x.1 in the subnet. 

 

In the example, the 'BGP Router ID Subnet.' is 192.168.21.0/24

 

4.jpg

 

If the FortiGate Hub is configured with 192.168.21.1 as the Router ID, the POP will display an invalid Router ID in the Hub's BGP debug logs. This results in the POP's BGP status remaining in an 'Idle' state. 

 

2.jpg

 

3.jpg
Scope FortiSASE.
Solution

To avoid Router ID conflicts, it is recommended to configure the BGP Router ID on the Hub using the last available address in the 'BGP Router ID Subnet', such as x.x.x.254. This practice ensures that the Router ID does not overlap with those automatically generated for POPs.

 5.jpg

 

Related articles:
Labels:
172
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.