Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
HS08
Contributor

Created on ‎03-29-2025 06:55 AM

BGP Path vs Routing Table

i have tunnel to connect from branch to the datacenter but the traffic seem goes to wrong path.

In the BGP path i can see the next hops is right where pointed to the tunnel ip, but in the routing table traffic to datacenter forwarded to the internet gateway. Anyone why in the routing table the traffic forwarded to the internet?

 

Screenshot 2025-03-29 205251.png

Labels:
458
0 Kudos
3 REPLIES 3
Toshi_Esumi
SuperUser
SuperUser

Created on ‎03-29-2025 10:35 AM Edited on ‎03-29-2025 10:36 AM

You asked the same question before.

https://community.fortinet.com/t5/Support-Forum/BGP-Path/m-p/381817#M265724

If you don't want the behavior of ADVPN, which is designed for, you should stop using ADVPN and set up simple iBGP mesh (or without mesh) network among your locations. Then those direct eBGP routes from datacenter/Azure would take precedence at each location.

I remember you so I can tell this but others who see this post first time wouldn't understand what's going on because you don't describe the entire picture of your network.

Toshi 

434
0 Kudos
HS08
Contributor
In response to Toshi_Esumi

Created on ‎03-30-2025 07:32 AM

Hello,

sorry for confuse. I'm still new in advpn so need some guidance from expert here.

my topology is like below pic, traffic from spoke1 to spoke2 is running fine.

When i try to disable tun0 on spoke2 (10.10.111.6), traffic from spoke2 can't reach spoke1.

When i check in the BGP path traffic to spoke1 subnet 10.100.0.0/16 set the nexthop to 10.10.111.2. I think this is incorrect way since tun0 on spoke2 already disabled.

I believe the hub still advertise subnet spoke1 via 10.10.111.2 to all spoke since this is valid path from hub perspective but not valid for spoke2 perspective.

The right path should be use 10.10.112.2 or tun1 if tun0 goes down. Am i right?

 

t1.png

394
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to HS08

Created on ‎03-30-2025 09:51 AM

I never knew ADVPN would work multiple tunnels between spokes and a hub. It's not in the overall document below:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Fortinet-Auto-Discovery-VPN-ADVPN/ta-p/195...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Fortinet-Auto-Discovery-VPN-ADVPN/ta-p/195...

Somebody else needs to validate this design.

Toshi

380
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.