Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Welcome 2026 Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Dual hub BGP on loopback question
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dual hub BGP on loopback question
Howdy!
We're beginning a merger at my org and I need to re-IP my dual hub BGP on loopback schema. My first and biggest question would be, is it even possible to change the BGP and HC loopback as well as the IPsec tunnel IP's, add the new networks to BGP on one hub; say the secondary, update the spokes with the new config, and then once that is successful, repeat the process for the primary hub with little to no downtime?
I've been attempting to do this in a partial lab environment and I'm having issues with the spoke not loading the changed tunnel into the sdwan rule as a selected route even though from the hub, the new loop back and IPSec interface IPs are pingable to and from the spoke and hub. What I do find interesting is that if I keep the changes in place on the spoke but revert the actual tunnel interface IP back to the original address, it gets loaded into the sdwan rule even though the secondary hub head end tunnel is still the changed address which would be a completely different subnet. If anyone would like for me add some config, please let me know. I appreciate any assistance!
Labels:
- Labels:
-
FortiGate
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello AugustWest,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Regards,
Jean-Philippe - Fortinet Community Team
Jean-Philippe - Fortinet Community Team
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
We are still looking for an answer to your question.
We will come back to you ASAP.
Regards,
Jean-Philippe - Fortinet Community Team
Jean-Philippe - Fortinet Community Team
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I appreciate it! I have the SDWAN rule/health check issue sorted out. The source addresses for the health check members were not changed to the new addresses when I ran the template. I've updated that in the template and deployed it to a couple spokes with the updated config for the secondary hub and everything is working. I'll be testing changing the primary hub tonight. If that goes well, I'll update this thread.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello again AugustWest,
I found this solution. Can you tell us if it helps?
To address your query about re-IPing your dual-hub BGP on the loopback schema with minimal downtime, follow these steps:
-
Plan the IP Changes:
- Determine the new IP addresses for the BGP loopback interfaces and IPsec tunnel interfaces.
- Ensure that the new IP addresses do not conflict with existing network addresses.
-
Update the Secondary Hub:
- Change the BGP loopback and IPsec tunnel IPs on the secondary hub.
- Add the new networks to the BGP configuration on the secondary hub.
- Ensure that the BGP configuration reflects the new IPs and routes.
-
Update the Spokes:
- Update the spokes with the new IPsec tunnel configurations pointing to the secondary hub.
- Ensure that the BGP configuration on the spokes is updated to reflect the new loopback IPs.
- Verify connectivity between the spokes and the secondary hub.
-
Test the Configuration:
- Ensure that the new configuration is working correctly by testing connectivity and route propagation.
- Check that the new tunnel interfaces are correctly added to the SD-WAN rules.
-
Update the Primary Hub:
- Once the secondary hub and spokes are confirmed to be working, repeat the process for the primary hub.
- Update the BGP loopback and IPsec tunnel IPs on the primary hub.
- Update the spokes to reflect the changes for the primary hub.
-
Final Testing:
- Verify that both hubs and all spokes are functioning correctly with the new IP configuration.
- Ensure that the SD-WAN rules are correctly applied and that traffic is routing as expected.
Regarding the issue with the SD-WAN rule not loading the changed tunnel, ensure that:
- The SD-WAN configuration is updated to include the new tunnel interfaces.
- The SD-WAN health checks are configured correctly for the new IPs.
- The routing table reflects the new IPs and routes.
If the issue persists, consider reviewing the SD-WAN configuration and ensuring that all relevant settings are updated to reflect the new IP addresses.
Regards,
Jean-Philippe - Fortinet Community Team
Jean-Philippe - Fortinet Community Team
Labels
-
FortiGate
11,153 -
FortiClient
2,297 -
FortiManager
937 -
FortiAnalyzer
708 -
5.2
687 -
5.4
638 -
FortiClient EMS
618 -
FortiSwitch
614 -
FortiAP
583 -
ipsec
487 -
6.0
416 -
SSL-VPN
413 -
FortiMail
388 -
5.6
362 -
FortiNAC
323 -
FortiWeb
272 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
219 -
FortiAuthenticator
199 -
FortiGate-VM
166 -
FortiGuard
166 -
Firewall policy
154 -
5.0
152 -
6.4
128 -
FortiCloud Products
122 -
FortiSIEM
120 -
FortiToken
118 -
FortiGateCloud
113 -
High Availability
99 -
Wireless Controller
98 -
Customer Service
91 -
SAML
85 -
Routing
85 -
ZTNA
85 -
FortiProxy
81 -
Authentication
80 -
FortiADC
76 -
VLAN
76 -
BGP
75 -
DNS
75 -
Certificate
75 -
Fortivoice
73 -
FortiEDR
73 -
LDAP
70 -
RADIUS
69 -
FortiLink
64 -
SSO
62 -
NAT
59 -
FortiSandbox
57 -
Interface
56 -
Application control
55 -
FortiExtender
53 -
VDOM
52 -
4.0MR3
49 -
Virtual IP
49 -
Logging
44 -
FortiDNS
43 -
FortiPAM
42 -
SSL SSH inspection
42 -
Web profile
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiConnect
36 -
Automation
36 -
FortiConverter
33 -
FortiWAN
32 -
API
32 -
Traffic shaping
29 -
FortiGate v5.2
28 -
FortiGate Cloud
28 -
Static route
28 -
SNMP
26 -
SSID
26 -
System settings
25 -
OSPF
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
WAN optimization
23 -
Web application firewall profile
23 -
FortiMonitor
21 -
IP address management - IPAM
21 -
Security profile
20 -
Web rating
20 -
FortiSOAR
19 -
FortiAP profile
18 -
Admin
17 -
Intrusion prevention
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
FortiManager v4.0
15 -
IPS signature
15 -
NAC policy
15 -
Users
15 -
Traffic shaping policy
15 -
Proxy policy
15 -
FortiManager v5.0
14 -
FortiCASB
14 -
DNS filter
13 -
FortiDeceptor
12 -
Fabric connector
12 -
Port policy
12 -
FortiWeb v5.0
11 -
FortiBridge
11 -
trunk
11 -
Traffic shaping profile
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
FortiRecorder
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
Application signature
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Packet capture
8 -
Vulnerability Management
8 -
4.0
7 -
4.0MR2
7 -
FortiNDR
7 -
VoIP profile
7 -
FortiScan
6 -
FortiTester
6 -
DoS policy
6 -
FortiCarrier
5 -
DLP profile
5 -
DLP sensor
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Service
5 -
Cloud Management Security
5 -
3.6
4 -
FortiHypervisor
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Multicast routing
4 -
FortiDB
3 -
FortiAI
3 -
Kerberos
3 -
Video Filter
3 -
File filter
3 -
Multicast policy
3 -
Zone
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Schedule
2 -
ICAP profile
2 -
Virtual wire pair
2 -
Lacework
2 -
FortiGuest
2 -
FortiEdge
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
FortiPresence
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2910 | |
| 1451 | |
| 850 | |
| 825 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2026 Fortinet, Inc. All Rights Reserved.