Description
This article describes a troubleshooting approach to take when BGP shows as down for one of the POPs in a FortiSASE deployment.
Scope
FortiSASE.
Solution
One common cause of this issue is a misconfiguration of the Router ID either on FortiSASE or on the HUB FortiGate.
Here, the HUB FortiGate is acting as the HUB where 4 FortiSASE POPs are connected.
The IPsec VPN tunnel is up, but BGP is showing as down for one of the POP.
Network Configuration on FortiSASE is as follows:
Here, the BGP Router ID Subnet is 172.27.250.8/29.
Here, it can be observed that the Tokyo POP BGP peer is down.
Here, it can be observed that the Router ID for the Tokyo POP is 172.27.250.9.
The BGP Peer IP for Tokyo POP is 172.27.250.1 and the BGP Peer IP on the HUB FortiGate is 172.27.250.5.
In the packet capture for BGP traffic, the following details were observed:
On the open message sent from 172.27.250.1 (SASE Spoke), the Router ID on Tokyo POP is 172.27.250.9.
On the open message sent from 172.27.250.5 (HUB FortiGate), the Router ID on HUB FortiGate is 172.27.250.9.
The BGP notification message indicates a bad BGP Identifier. This is because both of the sides share the same router ID, which is causing the conflict.
Changing the Router ID on one of the sides will fix the issue.
In this example, the Router ID was changed to 172.27.251.9 on the HUB FortiGate. Afterwards, BGP was established.
