Hi all,
I hope you can assist, I have an issue where the iBGP route that is advertised from the ISP is not being added into the Forti routing-table.
The neighbor relationship is working and I can see the routes - please see below output from my config - I must be missing something - our help is appreciated !!
Config:
config router prefix-list edit "DFLT-BGP-IN" config rule edit 1 set prefix 0.0.0.0 0.0.0.0 unset ge unset le next edit 10 set action deny set prefix any unset ge unset le next end next edit "RAIN-OUT" config rule edit 10 set prefix 1.2.3.4 255.255.255.240 unset ge unset le next edit 20 set action deny set prefix any unset ge unset le next
[ul]config router route-map[/ul] edit "only_default_route" config rule edit 10 set match-ip-address "DFLT-BGP-IN" next end next edit "BGP-RTMP-1-IN-ISP1" config rule edit 10 set match-ip-address "DFLT-BGP-IN" set set-local-preference 200 next end next edit "BGP-RTMP-2-IN-ISP2" config rule edit 10 set match-ip-address "DFLT-BGP-IN" set set-local-preference 150 next end next edit "BGP-RTMP-1-OUT-ISP-1" config rule edit 10 set match-ip-address "RAIN-OUT" set set-metric 100 next end next edit "BGP-RTMP-2-OUT-ISP-2" config rule edit 10 set match-ip-address "RAIN-OUT" set set-metric 150
[ul]config router static[/ul] edit 19 set dst 1.2.3.4 255.255.255.240 (fake public addresses we use) set blackhole enable next edit 17 set dst 2.2.2.2 255.255.255.255 (loopback) set blackhole enable next end
[ul]config router bgp[/ul] set as 37101 set router-id 2.2.2.2 config neighbor edit "10.1.24.1" set description "ISP-1" set remote-as 37105 set route-map-in "BGP-RTMP-1-IN-ISP1" set route-map-out "BGP-RTMP-1-OUT-ISP-1" set send-community6 disable next end config network edit 10 set prefix 1.2.3.4 255.255.255.240
Here is the output from the tshoot:
BGP router identifier 2.2.2.2, local AS number 37105 BGP table version is 7 2 BGP AS-PATH entries 0 BGP community entries Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.1.24.1 4 37105 1171 1143 7 0 0 15:57:11 1
# get router info bgp network BGP table version is 7, local router ID is 2.2.2.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *>i0.0.0.0/0 10.1.24.1 0 200 0 37662 i *> 1.2.3.4/28 0.0.0.0 100 32768 i Total number of prefixes 2
# get router info bgp neighbors 10.1.24.1 received-routes % Inbound soft reconfiguration not enabled
# get router info routing-table bgp
So the route that the neighbor advertises, is seen by BGP, but not added to the BGP routing table ?
please help
thanks
Hi. Could you check the #get router info routing-table database output? Does it have default route received from BGP neighbor?
If yes, it seems that you don't have any issue. As you can see from your debug soft-reconfiguration feature is not enabled for your neighbor. it means that prefixes rejected by the inbound policy are not kept in memory and therefore "get router info bgp neighbors 10.1.24.1 received-routes" is unable to show these rejected prefixes. You accept only default and reject all, so it seems to be a root cause.
NSE 8 #003249, FCT, CCSE, CompTIA CTT+
Agreed, your prefix is not going to be useful due to your route-policy via the route-map. if you want to fix this add the prefix to the prefix list
e.g
config router prefix-list edit "DFLT-BGP-IN" config rule edit 1 set prefix 0.0.0.0 0.0.0.0 unset ge unset le next
edit 2 set prefix x.x.x.x/24 set action accept next edit 10 set action deny set prefix any unset ge unset le next end next
PCNSE
NSE
StrongSwan
Thanks for the reply.
here is the important bits:
get router info routing-table database Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area > - selected route, * - FIB route, p - stale info B 0.0.0.0/0 [200/0] via 10.1.24.1, 18:58:18 S *> 0.0.0.0/0 [10/0] via 41.73.34.17, wan1 S 2.2.2.2/32 [10/0] is a summary, Null inactive C *> 2.2.2.2/32 is directly connected, BGP-LOOPBACK-0
So am I correct in saying that it is actually there - but due to a static default route, forti is not adding it to the routing table to rout with ?
Yes, it was that. So stupid... I changed the admin distance - and there it is.
thanks for the replies guys - really appreciate it.
Hi Chowzen,
Can you please show the command that was used to modify the BGP AD?
Do you have a default static route that could be overriding the BGP default route?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.