Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: BGP - not adding BGP route into routing-table
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BGP - not adding BGP route into routing-table
Hi all,
I hope you can assist, I have an issue where the iBGP route that is advertised from the ISP is not being added into the Forti routing-table.
The neighbor relationship is working and I can see the routes - please see below output from my config - I must be missing something - our help is appreciated !!
Config:
config router prefix-list edit "DFLT-BGP-IN" config rule edit 1 set prefix 0.0.0.0 0.0.0.0 unset ge unset le next edit 10 set action deny set prefix any unset ge unset le next end next edit "RAIN-OUT" config rule edit 10 set prefix 1.2.3.4 255.255.255.240 unset ge unset le next edit 20 set action deny set prefix any unset ge unset le next
[ul]config router route-map[/ul] edit "only_default_route" config rule edit 10 set match-ip-address "DFLT-BGP-IN" next end next edit "BGP-RTMP-1-IN-ISP1" config rule edit 10 set match-ip-address "DFLT-BGP-IN" set set-local-preference 200 next end next edit "BGP-RTMP-2-IN-ISP2" config rule edit 10 set match-ip-address "DFLT-BGP-IN" set set-local-preference 150 next end next edit "BGP-RTMP-1-OUT-ISP-1" config rule edit 10 set match-ip-address "RAIN-OUT" set set-metric 100 next end next edit "BGP-RTMP-2-OUT-ISP-2" config rule edit 10 set match-ip-address "RAIN-OUT" set set-metric 150
[ul]config router static[/ul] edit 19 set dst 1.2.3.4 255.255.255.240 (fake public addresses we use) set blackhole enable next edit 17 set dst 2.2.2.2 255.255.255.255 (loopback) set blackhole enable next end
[ul]config router bgp[/ul] set as 37101 set router-id 2.2.2.2 config neighbor edit "10.1.24.1" set description "ISP-1" set remote-as 37105 set route-map-in "BGP-RTMP-1-IN-ISP1" set route-map-out "BGP-RTMP-1-OUT-ISP-1" set send-community6 disable next end config network edit 10 set prefix 1.2.3.4 255.255.255.240
Here is the output from the tshoot:
BGP router identifier 2.2.2.2, local AS number 37105 BGP table version is 7 2 BGP AS-PATH entries 0 BGP community entries Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.1.24.1 4 37105 1171 1143 7 0 0 15:57:11 1
# get router info bgp network BGP table version is 7, local router ID is 2.2.2.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *>i0.0.0.0/0 10.1.24.1 0 200 0 37662 i *> 1.2.3.4/28 0.0.0.0 100 32768 i Total number of prefixes 2
# get router info bgp neighbors 10.1.24.1 received-routes % Inbound soft reconfiguration not enabled
# get router info routing-table bgp
So the route that the neighbor advertises, is seen by BGP, but not added to the BGP routing table ?
please help
thanks
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi. Could you check the #get router info routing-table database output? Does it have default route received from BGP neighbor?
If yes, it seems that you don't have any issue. As you can see from your debug soft-reconfiguration feature is not enabled for your neighbor. it means that prefixes rejected by the inbound policy are not kept in memory and therefore "get router info bgp neighbors 10.1.24.1 received-routes" is unable to show these rejected prefixes. You accept only default and reject all, so it seems to be a root cause.
NSE 8 #003249, FCT, CCSE, CompTIA CTT+
NSE 8 #003249, FCT, CCSE, CompTIA CTT+
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agreed, your prefix is not going to be useful due to your route-policy via the route-map. if you want to fix this add the prefix to the prefix list
e.g
config router prefix-list edit "DFLT-BGP-IN" config rule edit 1 set prefix 0.0.0.0 0.0.0.0 unset ge unset le next
edit 2 set prefix x.x.x.x/24 set action accept next edit 10 set action deny set prefix any unset ge unset le next end next
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply.
here is the important bits:
get router info routing-table database Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area > - selected route, * - FIB route, p - stale info B 0.0.0.0/0 [200/0] via 10.1.24.1, 18:58:18 S *> 0.0.0.0/0 [10/0] via 41.73.34.17, wan1 S 2.2.2.2/32 [10/0] is a summary, Null inactive C *> 2.2.2.2/32 is directly connected, BGP-LOOPBACK-0
So am I correct in saying that it is actually there - but due to a static default route, forti is not adding it to the routing table to rout with ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it was that. So stupid... I changed the admin distance - and there it is.
thanks for the replies guys - really appreciate it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Chowzen,
Can you please show the command that was used to modify the BGP AD?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have a default static route that could be overriding the BGP default route?
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Help with Forti vm home lab... 151 Views
- FG 81E - SD-wan rule with... 222 Views
- Routing with two wan int 303 Views
- Best practice for HA RAVPN 639 Views
- SSL Certificate Issue on Andriod Application 681 Views
Labels
-
FortiGate
8,403 -
FortiClient
1,699 -
5.2
801 -
FortiManager
708 -
5.4
639 -
FortiAnalyzer
540 -
FortiSwitch
456 -
FortiAP
452 -
6.0
416 -
FortiClient EMS
401 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
210 -
5.0
196 -
FortiWeb
196 -
IPsec
183 -
FortiNAC
173 -
FortiGuard
133 -
6.4
128 -
SD-WAN
107 -
FortiSIEM
100 -
FortiGateCloud
100 -
FortiCloud Products
95 -
FortiToken
89 -
FortiAuthenticator
82 -
Customer Service
77 -
Wireless Controller
76 -
Firewall policy
69 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
53 -
High Availability
51 -
Fortivoice
50 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Authentication
31 -
Interface
31 -
SSO
30 -
NAT
30 -
RADIUS
28 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
System settings
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCarrier
6 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1641 | |
| 1069 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.