Hello!
I hope someone can help point me in the right direction here;
I am trying to get BGP-peering between my Fortigate and my ISP's Routers working. I have gotten AS Number, Password, IP-adresses, VLANS etc to use from my ISP and they have configured their end.
I am all new to this, so please bear with me and I hope this makes sense:
Fortiswitches are in Active - Active with one BGP peer connected each.
BGP-PE1 (VLAN: 110 - IP: 100.10.10.9/30) - Connected on FSW-A (Port 25) (Allowed VLANs All)
BGP-PE2 (VLAN: 120 - IP: 100.10.10.19/30)- Connected on FSW-B (Port 25) (Allowed VLANs All)
Port 35 on FSW A, and Port 36 on FSW B are bundled in a 802.3ad Aggregate interface (Lets call this interface FortiLink)
Under this interface I have created two VLAN's:
BGP-PE1 (Tag: 110) (100.10.10.10/30)
BGP-PE2 (Tag: 120) (100.10.10.20/30)
Theese VLANS are dedicated to "VDOM-A"
In VDOM-A i have the following BGP Config:
I have an Local AS number (f.example 50501)
Under Neighbors I have set the correct ip and Remote AS:
IP: 100.10.10.9 - Remote AS: 5001 (Update Source: BGP-PE1)
IP: 100.10.10.19 - Remote AS: 5001 (Update Source: BGP-PE2)
I have not gotten a Router ID to use, so I have left that field blank.
The password is also correct according to my ISP.
Under Routing monitor i see the state fluctuating between Active and Connecting all the the time, but never established.
What is the problem here? If you need more info about the config please say so :) (The IP's and AS numbers are just examples)
Thanks in advance!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Magster
Try use the FGT IP as router-id.
Thank you for the reply, you mean the IP of the FGT in the VLAN between the FGT and BGP peer? In this example: 100.10.10.9. I tried that, and looks like there is no difference.
This should help findig the root cause.
diagnose ip router bgp all enable
diagnose debug enable
Thanks again for the suggestion, when i type
diagnose ip router bgp all enable
it says logging enabled for 30 minutes, and then run
diagnose debug enable
It accepts the command but nothing happens. Looks like there is no BGP traffic going at all.
Sorry I forgot this one, please add it as well.
diagnose ip router bgp level info
I think you got a wrong IP from your ISP. 10.10.10.8/30's usable IPs are .9 and .10. But 10.10.10.16/30's are .17 and .18, then 10.10.10.20/30's are .21 and .22.
10.10.10.20/30 is the subnet address and not usable for either host.
Check with your ISP.
Toshi
Hi @Magster ,
one more thing can you confirm that the ISP port plugged that interface is in VDOM-A?
Thank you for the replies!
@Toshi_Esumi oh yeah i saw that now, I messed it up in the examples given here. But the IP/subnets are correct IRL.
@dbhavsar Not sure I understand. The ISP's BGP ports (Port 25 on FSW A and B), are in the root VDOM with the Fortiswitches. I have set allowed VLAN's all on those ports.
Then I have created and 802.3ad aggregate interface on ports 35 (FSW A) and ports 36 (FSW B), and then created the BGP-PE1 (110) and BGP PE2 (120) VLANS under this aggregate interface and placed those VLANS in VDOM-A.
Hello, I thought i should give an update as I have made some progress.
My problem was setting allowed vlans all on the Fortiswitch ports connected to my ISP's BGP peers. I got some help from a Fortinet engineer, and I needed to set the specific VLANS from f.example VDOM-A on the allowed VLANs (can only be done by CLI).
I am now able to ping my ISP's IP on the other end from my VLAN interfaces (BGP-PE1 and 2).
When i run the commands suggested by @AEK now i get the following output:
BGP: [RIB] Scanning BGP Network Routes...
BGP: [RIB] Scanning BGP RIB...
BGP: 100.10.10.10-Outgoing [FSM] State: Idle Event: 3
BGP: 100.10.10.10-Outgoing [NETWORK] FD=27, Sock Status: 101-Network is unreachable
BGP: 100.10.10.10-Outgoing [FSM] State: Connect Event: 18
BGP: 100.10.10.10-Outgoing [FSM] State: Active Event: 18
BGP: bgp_ipc_server_accept:508 create ipc_handler=0x7f50321f7500 for sock=27
BGP: bgp_ih_on_read:434 request type=5 len=24 vfid=22 start=0 count=0 flags=0x1
BGP: bgp_ih_on_read:485 response type=5 len=24 vfid=22 start=0 count=0 flags=0x1 total=0 ret=32
BGP: bgp_ih_on_close:8 delete ipc_handler=0x7f50321f7500 for sock=27
BGP: bgp_ipc_server_accept:508 create ipc_handler=0x7f50321f7500 for sock=27
BGP: bgp_ih_on_read:434 request type=4 len=24 vfid=22 start=0 count=4294967295 flags=0x1
BGP: bgp_ih_on_read:485 response type=4 len=300 vfid=22 start=0 count=3 flags=0x1 total=3 ret=308
BGP: bgp_ih_on_close:8 delete ipc_handler=0x7f50321f7500 for sock=27
BGP: 100.10.10.10-Outgoing [FSM] State: Idle Event: 3
BGP: 100.10.10.10-Outgoing [NETWORK] FD=27, Sock Status: 101-Network is unreachable
BGP: 100.10.10.10-Outgoing [FSM] State: Connect Event: 18
BGP: 100.10.10.10-Outgoing [FSM] State: Active Event: 18
BGP: 100.10.10.10-Outgoing [FSM] State: Idle Event: 3
BGP: 100.10.10.10-Outgoing [NETWORK] FD=27, Sock Status: 101-Network is unreachable
BGP: 100.10.10.10-Outgoing [FSM] State: Connect Event: 18
BGP: 100.10.10.10-Outgoing [FSM] State: Active Event: 18
BGP: bgp_ipc_server_accept:508 create ipc_handler=0x7f50321f7500 for sock=27
BGP: bgp_ipc_server_accept:508 create ipc_handler=0x7f50321f7540 for sock=28
BGP: bgp_ih_on_read:434 request type=4 len=24 vfid=22 start=0 count=4294967295 flags=0x1
BGP: bgp_ih_on_read:485 response type=4 len=300 vfid=22 start=0 count=3 flags=0x1 total=3 ret=308
BGP: bgp_ih_on_close:8 delete ipc_handler=0x7f50321f7500 for sock=27
BGP: bgp_ih_on_read:434 request type=5 len=24 vfid=22 start=0 count=0 flags=0x1
BGP: bgp_ih_on_read:485 response type=5 len=24 vfid=22 start=0 count=0 flags=0x1 total=0 ret=32
BGP: bgp_ih_on_close:8 delete ipc_handler=0x7f50321f7540 for sock=28
I immediately notice the Sock Status: 101-Network is unreachable message, but I am no so sure what it means or what the reason could.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1633 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.