Hi everyone,
I'm encountering a strange issue and I need some help.
I have two spoke sites and one hub in my network. The design involves Active Internet 1, Active Internet 2, and Backup Internet 3. I've noticed that the hub site is advertising the best routes, originating from other spokes' Internet 1 and Internet 2, to the backup BGP peer. This is causing routing issues and incorrect shortcuts.
However, I managed to find a solution to prevent this by configuring a community on the hub. Now, whenever the hub receives subnets from the backup with a certain community, it will only advertise them to other backup spoke circuits with the same community and deny anything else.
But now, I'm trying to advertise all paths to the spokes, not just the best one. Is there any way I can achieve this?
I've configured IBGP multipath with the "adv-multipath" command, but I've noticed that this command only advertises the best routes from the routing table of the hub, not the least preferred routes. Therefore, I need to advertise the least preferred routes as well.
FortiGate
Hi @Matrix - I'm not sure if this is possible, but you could consider adding weight to influence the route selection in spokes. In the Hub, each Internet connection has a different weight (lower value for less preferred routes), and in the Spokes, you could configure them to prefer routes with lower weights to ensure that the spokes prioritize only the lowest weight route but still receive information about other paths (higher weights).
Created on 03-25-2024 09:01 AM Edited on 03-25-2024 09:02 AM
Hi Ricky
I found a topic about my issue, but instead of 2 circuits I have 3 and the last one is backup, unfortunately, when we do a failover Transport 3 establishes a tunnel with another spoke Transport 2 , and all of this happened because of the routes are coming to the spoke Transport 3 with next hop of the Transport1 and Transport2 of another spoke .
Here is the Reference https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-deny-advertising-BGP-routes-with-a-...
i will apply it tomorrow hope it works.
Hi Ricky
My issue still persist, its a weird one.
On my spoke sites I have 3 BGP peers T1 , T2,T3 whenever i take down T2 tunnel T1 should be the only one working but for some reason, T3 BGP started to kick in and egress some traffic i configured weight on the peers so T1 80000 , T2 80000 , T3 60000 but T3 is still egressing traffic ???
Does anybody have an idea, i reached out to Forti Tac they couldn't find any issues! any expertise here that could help fix this or faced the same issue before?
Hi Matrix,
Have you resolved this?
@Matrix did you find a solution? I am facing something similar. I have 1 HUB and 2 spokes with 2 ISPs connections each. Created ADVPN1 and ADVPN2 on the HUB. So far the HUB ADVPN1 advertise the correct next hop to the Spokes but ADVPN2 advertises the the next hop of ADVPN1 , creating 2 shortcuts with the same next hope so really I have only one useable shortcut.
Please share any recommendation.
Thanks
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.