BGP Peering - My Fortigate - ISP

Magster · ‎04-22-2024

Hello!

I hope someone can help point me in the right direction here;

I am trying to get BGP-peering between my Fortigate and my ISP's Routers working. I have gotten AS Number, Password, IP-adresses, VLANS etc to use from my ISP and they have configured their end.

I am all new to this, so please bear with me and I hope this makes sense:

Fortiswitches are in Active - Active with one BGP peer connected each.

BGP-PE1 (VLAN: 110 - IP: 100.10.10.9/30) - Connected on FSW-A (Port 25) (Allowed VLANs All)
BGP-PE2 (VLAN: 120 - IP: 100.10.10.19/30)- Connected on FSW-B (Port 25) (Allowed VLANs All)

Port 35 on FSW A, and Port 36 on FSW B are bundled in a 802.3ad Aggregate interface (Lets call this interface FortiLink)

Under this interface I have created two VLAN's:

BGP-PE1 (Tag: 110) (100.10.10.10/30)
BGP-PE2 (Tag: 120) (100.10.10.20/30)

Theese VLANS are dedicated to "VDOM-A"

In VDOM-A i have the following BGP Config:

I have an Local AS number (f.example 50501)
Under Neighbors I have set the correct ip and Remote AS:
IP: 100.10.10.9 - Remote AS: 5001 (Update Source: BGP-PE1)
IP: 100.10.10.19 - Remote AS: 5001 (Update Source: BGP-PE2)

I have not gotten a Router ID to use, so I have left that field blank.

The password is also correct according to my ISP.

Under Routing monitor i see the state fluctuating between Active and Connecting all the the time, but never established.

What is the problem here? If you need more info about the config please say so :) (The IP's and AS numbers are just examples)

Thanks in advance!

AEK · ‎04-23-2024

Hi Magster

Try use the FGT IP as router-id.

AEK

Magster · ‎04-23-2024

Thank you for the reply, you mean the IP of the FGT in the VLAN between the FGT and BGP peer? In this example: 100.10.10.9. I tried that, and looks like there is no difference.

AEK · ‎04-23-2024

This should help findig the root cause.

diagnose ip router bgp all enable
diagnose debug enable

AEK

Magster · ‎04-23-2024

Thanks again for the suggestion, when i type

diagnose ip router bgp all enable

it says logging enabled for 30 minutes, and then run

diagnose debug enable

It accepts the command but nothing happens. Looks like there is no BGP traffic going at all.

AEK · ‎04-23-2024

Sorry I forgot this one, please add it as well.

diagnose ip router bgp level info

AEK

Toshi_Esumi · ‎04-23-2024

I think you got a wrong IP from your ISP. 10.10.10.8/30's usable IPs are .9 and .10. But 10.10.10.16/30's are .17 and .18, then 10.10.10.20/30's are .21 and .22.
10.10.10.20/30 is the subnet address and not usable for either host.
Check with your ISP.

Toshi

dbhavsar · ‎04-23-2024

Hi @Magster ,

one more thing can you confirm that the ISP port plugged that interface is in VDOM-A?

DNB

Magster · ‎04-24-2024

Thank you for the replies!

@Toshi_Esumi oh yeah i saw that now, I messed it up in the examples given here. But the IP/subnets are correct IRL.

@dbhavsar Not sure I understand. The ISP's BGP ports (Port 25 on FSW A and B), are in the root VDOM with the Fortiswitches. I have set allowed VLAN's all on those ports.

Then I have created and 802.3ad aggregate interface on ports 35 (FSW A) and ports 36 (FSW B), and then created the BGP-PE1 (110) and BGP PE2 (120) VLANS under this aggregate interface and placed those VLANS in VDOM-A.

Magster · ‎04-29-2024

Hello, I thought i should give an update as I have made some progress.

My problem was setting allowed vlans all on the Fortiswitch ports connected to my ISP's BGP peers. I got some help from a Fortinet engineer, and I needed to set the specific VLANS from f.example VDOM-A on the allowed VLANs (can only be done by CLI).

I am now able to ping my ISP's IP on the other end from my VLAN interfaces (BGP-PE1 and 2).

When i run the commands suggested by @AEK now i get the following output:

BGP: [RIB] Scanning BGP Network Routes...
BGP: [RIB] Scanning BGP RIB...
BGP: 100.10.10.10-Outgoing [FSM] State: Idle Event: 3
BGP: 100.10.10.10-Outgoing [NETWORK] FD=27, Sock Status: 101-Network is unreachable
BGP: 100.10.10.10-Outgoing [FSM] State: Connect Event: 18
BGP: 100.10.10.10-Outgoing [FSM] State: Active Event: 18
BGP: bgp_ipc_server_accept:508 create ipc_handler=0x7f50321f7500 for sock=27
BGP: bgp_ih_on_read:434 request type=5 len=24 vfid=22 start=0 count=0 flags=0x1
BGP: bgp_ih_on_read:485 response type=5 len=24 vfid=22 start=0 count=0 flags=0x1 total=0 ret=32
BGP: bgp_ih_on_close:8 delete ipc_handler=0x7f50321f7500 for sock=27
BGP: bgp_ipc_server_accept:508 create ipc_handler=0x7f50321f7500 for sock=27
BGP: bgp_ih_on_read:434 request type=4 len=24 vfid=22 start=0 count=4294967295 flags=0x1
BGP: bgp_ih_on_read:485 response type=4 len=300 vfid=22 start=0 count=3 flags=0x1 total=3 ret=308
BGP: bgp_ih_on_close:8 delete ipc_handler=0x7f50321f7500 for sock=27
BGP: 100.10.10.10-Outgoing [FSM] State: Idle Event: 3
BGP: 100.10.10.10-Outgoing [NETWORK] FD=27, Sock Status: 101-Network is unreachable
BGP: 100.10.10.10-Outgoing [FSM] State: Connect Event: 18
BGP: 100.10.10.10-Outgoing [FSM] State: Active Event: 18
BGP: 100.10.10.10-Outgoing [FSM] State: Idle Event: 3
BGP: 100.10.10.10-Outgoing [NETWORK] FD=27, Sock Status: 101-Network is unreachable
BGP: 100.10.10.10-Outgoing [FSM] State: Connect Event: 18
BGP: 100.10.10.10-Outgoing [FSM] State: Active Event: 18
BGP: bgp_ipc_server_accept:508 create ipc_handler=0x7f50321f7500 for sock=27
BGP: bgp_ipc_server_accept:508 create ipc_handler=0x7f50321f7540 for sock=28
BGP: bgp_ih_on_read:434 request type=4 len=24 vfid=22 start=0 count=4294967295 flags=0x1
BGP: bgp_ih_on_read:485 response type=4 len=300 vfid=22 start=0 count=3 flags=0x1 total=3 ret=308
BGP: bgp_ih_on_close:8 delete ipc_handler=0x7f50321f7500 for sock=27
BGP: bgp_ih_on_read:434 request type=5 len=24 vfid=22 start=0 count=0 flags=0x1
BGP: bgp_ih_on_read:485 response type=5 len=24 vfid=22 start=0 count=0 flags=0x1 total=0 ret=32
BGP: bgp_ih_on_close:8 delete ipc_handler=0x7f50321f7540 for sock=28

I immediately notice the Sock Status: 101-Network is unreachable message, but I am no so sure what it means or what the reason could.