Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
khaled88
New Contributor

Created on ‎08-07-2024 03:34 AM

Configuration eBGP // HA cluster //

Hello,

I have a BGP flapping issue between two Fortigate ISPs in standalone mode and my Fortigate firewall in HA mode. I need your help, and could you please provide the recommended configuration?

Thank you.

 

KBA
KBA
Labels:
1004
0 Kudos
14 REPLIES 14
dbhavsar
Staff
Staff

Created on ‎08-07-2024 05:06 AM

Hello @khaled88 ,

 

- you can check this optimizing the BGP when there is HA failover to  avoid traffic interruption:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-FortiGate-HA-and-BGP-graceful-... 

DNB
767
Mrinmoy
Staff
Staff

Created on ‎08-07-2024 05:06 PM

In case of HA, please have a look this article for routing table update

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Controlling-how-HA-synchronizes-routing-ta...

Mrinmoy Purkayastha
744
hhasny
Staff
Staff

Created on ‎08-13-2024 05:57 PM

Hi @khaled88 ,

Are you sharing IPv6 routes? If not, try disabling the ipv6 family.

 

config neighbor
edit "1.1.1.1"
set activate6 disable
next
end

 

regards

638
khaled88
New Contributor

Created on ‎08-26-2024 06:51 AM

Hello, 

 

Thank you for your response. 

 

I will try to explain again the problem, I have tow fortigate en HA cluster (Active/Passive) in our side to onther Side we have tow Fortigate en standolone mode (ISP1 and ISP2) , the bgp session is up with ISP 1 and flapping with ISP2 FW. 
note that we have 2 nexus with vpc configuration in the middle. 

KBA
KBA
544
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎08-26-2024 08:22 AM

Still not clear the topology with many typos in your description. Do you have a diagram?
Do you have totally 4 FGTs, two in a-p HA and two more standalones? Which one of those is peering with ISP1 and ISP2? A simple diagram would clarify these.

Toshi

537
khaled88
New Contributor

Created on ‎08-27-2024 04:10 AM Edited on ‎08-27-2024 04:11 AM

Hello, 

thank you for your answer. 

Find attached the design.

BGP session between FW2 and FW_ISP1 keep flapping (standby )
BGP session between FW2 and FW_ISP2 is stable (primary )

Dessin 6.png

 

Best regards, 

 

KBA
KBA
499
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎08-27-2024 10:27 AM

Are those 3 parties (FW_ISP1, FW_ISP2, HA FGT) on the same VLAN through the switches within the same subnet (like a /29)? Then each has a different/unique AS (eBGP)? Or do the ISP1 and ISP2 FGTs have the same AS and they're not peering each other?

I'm assuming pinging each others don't show any sign of packet losses.
Please share us the BGP config ("config router bgp") at all parties.

 

Toshi

486
khaled88
New Contributor
In response to Toshi_Esumi

Created on ‎08-28-2024 04:00 AM

Hello, 

yes all firewalls are in the same Vlan, same Subnte /24, 

Yes with the ISP FWs we have eBGP configuration. 

ISP1 and ISP2 FGTs with the same Public AS.


config router bgp
set as Privte AS
set router-id 192.168.20.35
set holdtime-timer 240
config neighbor
edit "192.168.20.135"
set bfd enable
set soft-reconfiguration enable
set remote-as Public AS
set weight 1000
next
edit "192.168.20.136"
set bfd enable
set soft-reconfiguration enable
set remote-as Public AS
set weight 900

KBA
KBA
452
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to khaled88

Created on ‎08-28-2024 08:16 AM

What do you see when you keep entering "get router info bgp sum" a couple of times? Would the state change for the neighbor?
Then try disabling BFD to see if it would change the situation.
And, why did you have to change the hold-timer from the default 180 to 240 while using BFD to fasten the transition?

Toshi

442
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.