Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

ADVPN tunnel up but BGP on parent tunnel is down


   Would like to understand whether any possible additional configurations available for below scenario to work


In our SDWAN setup we have 1 Hub and two spokes. Spoke1 and Spoke2 has two inet links. Hub also has two internet links. Dialup tunnels built between spoke to Hub through internet 1 and internet 2.  Now there are some live traffics between spoke 1 to spoke2 through ADVPN tunnel over inet1 (As per SDWAN rule preference). In this scenario from spoke1 perspective, spoke 2 route is learnt only through child tunnel of inet 1(Parent tunnel route on inet1 will be masked) and parent tunnel of Inet2. Similar results can be seen in spoke 2 for spoke 1 routes.

Now in spoke1 , parent tunnel built over inet 1 is up but BGP neighbor with hub goes to connect state for some unknown reason. This scenario makes traffic to break - Cause - Spoke 1 will continue learning spoke 2 routes through inet 1 child tunnel and with SDWAN rule preference this child tunnel will be elected for forwarding traffic but on the other side in spoke2 - Spoke 1 routes will be learnt only through inet2 parent tunnel only since Hub will withdraw the routes of spoke 1 with inet 1 next hop when advertising to spoke 2.. Hence spoke 2 will have routes only through inet 2 parent tunnel..  This will cause RPF check failure error at spoke2 and packet arriving from spoke1 through child tunnel on inet 1 gets dropped at spoke2.. (Spoke 1 sending in inet1 child tunnel and spoke 2 doesnt have route on that inet1 child tunnel) This will break the communication..


This might be a rare scenario but we have got this.. Is there any other additional configuration available to overcome this scenario or this is the expected behavior with 7.2 version (ADVPN version 1).. I hope in 7.2 with ADVPN version 2 spoke can build direct BGP neighborship with other spoke and this situation can be avoided..


Anyone faced this challenge in 7.2 version and have applied any additional config?.. As of now in SDWAN rule in spoke 1 we have changed the member preference from inet1 to inet 2 as workaround..




You can configure direct BGP neighborship on spoke 1 and spoke2 and on the hub, create route maps for route advertisements.
Also, in sdwan rules, you can change member preference to "inet2".


referred link :




  Building separate BGP neighbors between spoke might not be scalable for large volume of sites. I think this is a very corner case scenario and there is no other workaround in 7.2 version. But from 7.4 version with ADVPN 2.0 this problem can be solved..

I am just trying to explore for alternate options within 7.2 version.





Are you using network id's for this connection? Please refer to the link below.

P R Chaitanya



  Yes, we are using network ID 1 for Spoke to Hub tunnel on inet1 and network ID 2 for spoke to Hub tunnel on inet 2..


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors