- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- ADVPN tunnel up but BGP on parent tunnel is down
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ADVPN tunnel up but BGP on parent tunnel is down
Hi,
Would like to understand whether any possible additional configurations available for below scenario to work
In our SDWAN setup we have 1 Hub and two spokes. Spoke1 and Spoke2 has two inet links. Hub also has two internet links. Dialup tunnels built between spoke to Hub through internet 1 and internet 2. Now there are some live traffics between spoke 1 to spoke2 through ADVPN tunnel over inet1 (As per SDWAN rule preference). In this scenario from spoke1 perspective, spoke 2 route is learnt only through child tunnel of inet 1(Parent tunnel route on inet1 will be masked) and parent tunnel of Inet2. Similar results can be seen in spoke 2 for spoke 1 routes.
Now in spoke1 , parent tunnel built over inet 1 is up but BGP neighbor with hub goes to connect state for some unknown reason. This scenario makes traffic to break - Cause - Spoke 1 will continue learning spoke 2 routes through inet 1 child tunnel and with SDWAN rule preference this child tunnel will be elected for forwarding traffic but on the other side in spoke2 - Spoke 1 routes will be learnt only through inet2 parent tunnel only since Hub will withdraw the routes of spoke 1 with inet 1 next hop when advertising to spoke 2.. Hence spoke 2 will have routes only through inet 2 parent tunnel.. This will cause RPF check failure error at spoke2 and packet arriving from spoke1 through child tunnel on inet 1 gets dropped at spoke2.. (Spoke 1 sending in inet1 child tunnel and spoke 2 doesnt have route on that inet1 child tunnel) This will break the communication..
This might be a rare scenario but we have got this.. Is there any other additional configuration available to overcome this scenario or this is the expected behavior with 7.2 version (ADVPN version 1).. I hope in 7.2 with ADVPN version 2 spoke can build direct BGP neighborship with other spoke and this situation can be avoided..
Anyone faced this challenge in 7.2 version and have applied any additional config?.. As of now in SDWAN rule in spoke 1 we have changed the member preference from inet1 to inet 2 as workaround..
Labels:
- Labels:
-
FortiGate
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can configure direct BGP neighborship on spoke 1 and spoke2 and on the hub, create route maps for route advertisements.
Also, in sdwan rules, you can change member preference to "inet2".
referred link : https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/763341/basic-bgp-example
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Building separate BGP neighbors between spoke might not be scalable for large volume of sites. I think this is a very corner case scenario and there is no other workaround in 7.2 version. But from 7.4 version with ADVPN 2.0 this problem can be solved..
I am just trying to explore for alternate options within 7.2 version.
Regards
Raja
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using network id's for this connection? Please refer to the link below.
P R Chaitanya
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Yes, we are using network ID 1 for Spoke to Hub tunnel on inet1 and network ID 2 for spoke to Hub tunnel on inet 2..
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- VPN, Routing question. 61 Views
- FortiEms 7.2.4 build 0983 - MacOs... 119 Views
- Group multiple IPsec tunnels as a... 127 Views
- tracert not display the correct hop 750 Views
- why the outgoing interface is not... 258 Views
Labels
-
FortiGate
7,139 -
FortiClient
1,407 -
5.2
801 -
5.4
639 -
FortiManager
619 -
FortiAnalyzer
454 -
6.0
416 -
FortiAP
373 -
FortiSwitch
369 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
6.4
128 -
FortiNAC
126 -
FortiGuard
115 -
IPsec
107 -
SSL-VPN
103 -
FortiGateCloud
97 -
FortiSIEM
92 -
FortiCloud Products
89 -
FortiToken
76 -
Customer Service
71 -
Wireless Controller
64 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
48 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiExtender
34 -
FortiSandbox
33 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
FortiPortal
18 -
LDAP
18 -
Interface
18 -
FortiSwitch v6.2
17 -
VDOM
17 -
Routing
16 -
FortiMonitor
15 -
Authentication
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
FortiCASB
12 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSL SSH inspection
10 -
SSO
10 -
FortiRecorder
10 -
Application control
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web application firewall profile
7 -
4.0
7 -
Admin
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
FortiAP profile
6 -
IPS signature
5 -
Packet capture
5 -
Automation
5 -
DNS Filter
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiCache
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Web rating
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Fortinet Engage Partner Program
3 -
Traffic shaping profile
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1059 | |
| 883 | |
| 525 | |
| 441 | |
| 147 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.