Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Whiteoaks
New Contributor II

Created on ‎03-05-2025 10:57 AM

Help with iBGP route-map and propagating the desired routes

Hopefully someone can help with this as my knowledge with BGP, ADVPN, Hub\Spoke is not strong - but it is growing.

 

We plan on having 4 spoke devices and 1 hub device all with 2 wan interfaces (if we get things working we may introduce a second Fortigate in HA mode at the hub). Some locations will have a TLS link back to the hub but not all locations will.

Currently I have 2 spokes and 1 hub setup all with 2 WAN and 1 TLS in a lab environment. For the TLS spoke 1 is on VLAN200, spoke2 is on VLAN300 and the hub has a trunk with vlan200 and 300 on port3. This configuration is how our ISP has told us they will be setting up the TLS. The WAN links are using VPN with ADVPN (dialup tunnel for hub) - no VPN for the TLS\LAN links. iBGP is setup for routing with SDWAN advertising our private network and the TLS VLANs. The TLS is the preferred route and the VPN is backup. 


If we only use the VPN everything works - if we plug in the TLS links - everything works. Once we lose a spoke TLS link however the routing breaks. All devices can still speak to the hub but the spokes can no longer communicate with each other. 

The spoke with the failed connection is learning the other spoke from the hub but using an invalid next hop. The hub is only sharing the route with an incorrect next hop. Is there a way to have the iBGP hub send the route with the correct next hop - in the picture it should be 10.100.100.2 - which the hub knows about. If I make a route-map to tell it to change the next top to 10.100.100.1 (the hub it learned the device from) traffic works fine - but this defeats the purpose of the ADVPN to not have to travel through the hub. 

 

I also assumed that it should still work as is since the next hop of 10.20.20.2 while directly unreachable has another route in the table - 10.20.20.0 via 10.100.100.1 - which is the same destination when I override the next hop that works - but it doesn't work unless i over-ride the gate-way directly with the route-map.

 

100.100.100.0 VPN tunnel1

100.100.200.0 VPN tunnel 2

10.20.20.0 VLAN200

10.20.30.0 VLAN300 (currently shutdown down in the lab so not advertising)

10.2.160.0 - hub private lan

10.10.2.0 - spoke 1 private lan

10.1.160.0 - spoke 2 private lan

Any help or suggestions would be greatly appreciated


Spoke with failed connection 

spoke1.png

 

 

 

Hub

spoke2.png


Labels:
128
0 Kudos
3 REPLIES 3
funkylicious
SuperUser
SuperUser

Created on ‎03-05-2025 10:28 PM

hi,

can you share the bgp config for the hub and spokes ?

"jack of all trades, master of none"
"jack of all trades, master of none"
113
Whiteoaks
New Contributor II
In response to funkylicious

Created on ‎03-08-2025 07:32 AM

Hi - Thanks for the reply. Since this post and many days of research I have found BGP on loopback and embedded SLA health checks. This setup was BGP per overlay and it did not have any configuration required for that method.

I'll be redoing my configuration using the loopback method. I will let you know the results but believe it will work.

74
0 Kudos
Whiteoaks
New Contributor II

Created on ‎03-09-2025 08:20 PM

I'll make a new post as this one was likely just a subpar configuration and I resolved 90% of my issue by using BGP on loopback with a new configuration but am having a different concern now. 

43
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.