Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortDoog
New Contributor III

Created on ‎07-25-2024 04:01 AM Edited on ‎07-25-2024 04:02 AM

BGP with AWS transit gateway

This is a follow up from: https://community.fortinet.com/t5/Support-Forum/AWS-IPSEC-on-BGP-routing-how-to-control-traffic-pref...

 

And now my issue is that I have connected the BGP with the VPCs but the routes in between are not being accepted by AWS TGW.

 

This is my situation, from Brazil and Virginia, I need to pass on their routes to Desarrollo. I have the prefix list, the route maps, all the jazz.

BGP diagram_corregido.jpg

 

But for the life of me, I cannot find WHY Desarrollo does NOT show those routes.

  • I can see the routes that set in the "Networks" section being propagated and see them also on the TGW route table.
  • I can see the routes from BOTH, Brazil and Virginia being propagated, but they are NOT on the TGW.

I thought it was the prefix list, set it to Permit ANY, still nothing.

The team I work for had the idea of enabling back the static routes on the firewall and use the Redistribute: Static. And ONLY then, the routes appeared on Desarrollo.

 

Yes, already raised a ticket with support. I know, maybe it is just some dumb thing I don´t see, no expert, I still call myself a newbie on this.

 

After sleepless nights found this while troubleshooting: https://community.fortinet.com/t5/FortiGate/Technical-Tip-BGP-with-AWS-transit-gateway/ta-p/287684

 

Now, my question, that tech tip above does not mention that all devices on the BGP group should have the same AS number, so my question is, and with the graphic above, does that mean that my firewall AS has to match the AWS TGW AS? Is that all the issue???

 

clue.jpg

 

option.jpg

 I say it because I was introduced to the concept of iBGP and eBGP. Apparently I´m doing eBGP but for what I have read, I´m supposed to do iBGP?

 

I´m lost and confused, please help.

 

@Jean-Philippe_P 

@Anthony_E 

@mle2802 

"Well, hello there"
"Well, hello there"
Labels:
1866
1 Solution
Toshi_Esumi
SuperUser
SuperUser
In response to FortDoog

Created on ‎07-25-2024 07:55 AM

If changing AS at each VPC is not an option, try "as-override" option on your FGT as in below:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-BGP-allowas-in-enable-or-as-override-when-...

Toshi

View solution in original post

1791
0 Kudos
5 REPLIES 5
slovepreet
Staff
Staff

Created on ‎07-25-2024 05:23 AM

Hi FortDoog, 

-->I can see the routes from BOTH, Brazil and Virginia being propagated, but they are NOT on the TGW.

if the routes are being advertised and not received, the following are the commands that you can start to dig more into what's going on

 

get router info bgp neighbors 10.10.3.1 routes --> replace the Ip with your neighbor IP
get router info bgp neighbors 10.10.3.1 received-route

 

If you are seeing in one output and not another one that means it's being filtered  by the inbound policy 

 

Below article will shed some more light if that would be something that you are experiencing https://community.fortinet.com/t5/FortiGate/Technical-Tip-Difference-between-BGP-received-routes-and...

 

This is my best possible guess and starting point but a configuration file and more information here would certainly help to understand this more. 

 

I hope this helps 

 

 

Lovepreet
1836
FortDoog
New Contributor III
In response to slovepreet

Created on ‎07-25-2024 06:13 AM

Hi @slovepreet 

 

I did that, I assumed that I filtered wrong, but then I tested using an empty prefix list set to permit any, and still, only routes on "Networks" were seen, plus a bunch of other stuff. But specifically, not the routes learned from the others BGPs. That´s why I´m more inclined to the tech tip.

 

Forgot to mention, from Brazil and Virginia, I propagated only mgmt routes, so far that works perfect. But the thing is that Desarrollo needs to know the routes from Brazil and Virgina, and that is the problem. I see the advertised routes and supposedly they are being sent but on the TGW are not appearing.

 

What does appear are the static routes the team setup manually and the ones on Networks.

"Well, hello there"
"Well, hello there"
1826
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to FortDoog

Created on ‎07-25-2024 07:55 AM

If changing AS at each VPC is not an option, try "as-override" option on your FGT as in below:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-BGP-allowas-in-enable-or-as-override-when-...

Toshi

1792
0 Kudos
FortDoog
New Contributor III
In response to Toshi_Esumi

Created on ‎07-25-2024 08:07 AM Edited on ‎07-25-2024 09:50 AM

But @Toshi_Esumi  does the solution you gave applies to Fortigate to Fortigate situations only?

 

Because this situation is Fortigate to AWS VPN (no Fortigate VM, pure AWS).

 

It works now.

 

The whole issue can be seen on the diagram, all the neighbours have the same AS, and that would cause a route loop on AWS, that´s why it drops the route. It doesn´t show on CLI by AWS TGW.

You will notice something is wrong when you see the AS number of the neighbour being adversited, for my case it has to be the Firewall´s AS, so AWS TGW can accept the route.

 

You know, it would be nice to link those articles and put some disclaimers or notes for non english speaking people. Not change the language, just more descriptive information.

"Well, hello there"
"Well, hello there"
1789
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to FortDoog

Created on ‎07-25-2024 10:38 AM

This is not specific to FGTs because this is a common BGP/AS design issue. Even if you replace your FGT with a Cisco router, Juniper SRX, or Nokia router, you still need to use "as-override" option. I think it's in an RFC, which I haven't confirmed though.
At least with Cisco, you can probably find the same solution in your language.

Toshi

1749
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.