Hello,
I've built a Hub-and-Spoke lab as I need to deploy SD-WAN, which is my ultimate goal here. The configuration went smooth with no issues I can remember. However, after the configuration is complete, and BGP is up, the spokes are not able to reach each other. I tried troubleshooting, and found that the Hub is not passing the traffic. Below is my topology on EVE/PNet
I'm not sure where the issue is. But the firewalls doesn't pass the traffic through the tunnels!
I need to get SD-WAN fully running here.
All 3 firewalls are running the same version: FortiOS-VM64-KVM v7.2.4,build1396,23013 (GA.F).
For the IPSec Tunnels, I created the tunnels using the wizard using the Hub-and-Spoke Template
I'm really not sure what is missing here.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @mauromarme ,
I've got it to work in Hub-and-Spoke deployment after I changed the image I was using.
Seems that the FOS Image doesn't pass traffic. I changed to the FGT with trial license, and it worked with me. Time to work on the SD-WAN and see the outcome. It might take some time to work on it.
Hello Islam,
Hoping you are doing well.
Could you please attach the FortiGate configuration files along with the BGP commands below?
get router info bgp summary -> This command will display your BGP neighbors IP. Use those IPs on the commands below.
get router info bgp neighbors x.x.x.x advertised-routes
get router info bgp neighbors x.x.x.x received-routes
Thanks!
Created on 07-21-2023 02:26 AM Edited on 07-21-2023 02:28 AM
Hello Islam,
Did you create a firewall policy for spoke-to-spoke communication?
Eg:
edit 0
set name "spoke2spoke"
set srcintf "advpn-hub"
set dstintf "advpn-hub"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
You can follow the below article for ADVPN with BGP as the routing protocol.
Regards
Niroj Pariyar
Created on 07-21-2023 09:15 AM Edited on 07-21-2023 09:25 AM
Hello @npariyar ,
I do have the policy in place. It is created automatically via the VPN Wizard
edit 2
set name "vpn_Hub-Spoke_spoke2spoke_0"
set uuid f20a5d8c-2676-51ee-12b6-2c70588442df
set srcintf "Hub-Spoke"
set dstintf "Hub-Spoke"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set comments "VPN: Hub-Spoke (Created by VPN wizard)"
next
Hello @mauromarme ,
I've checked and you can also see below the results:
Hub:
hub # get router info bgp summary
VRF 0 BGP router identifier 10.10.1.1, local AS number 65100
BGP table version is 7
1 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.1.3 4 65100 1988 1992 6 0 0 1d04h47m 1
10.10.1.4 4 65100 1987 1987 7 0 0 1d04h47m 1
Total number of neighbors 2
hub # get router info bgp neighbors 10.10.1.3 advertised-routes
VRF 0 BGP table version is 7, local router ID is 10.10.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*>i10.10.10.0/24 10.10.1.1 100 32768 0 i <-/->
*>i30.30.30.0/24 10.10.1.4 100 0 0 i <-/->
Total number of prefixes 2
hub # get router info bgp neighbors 10.10.1.3 received-routes
VRF 0 BGP table version is 7, local router ID is 10.10.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*>i20.20.20.0/24 10.10.1.3 100 0 0 i <-/->
Total number of prefixes 1
hub # get router info bgp neighbors 10.10.1.4 advertised-routes
VRF 0 BGP table version is 7, local router ID is 10.10.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*>i10.10.10.0/24 10.10.1.1 100 32768 0 i <-/->
*>i20.20.20.0/24 10.10.1.3 100 0 0 i <-/->
Total number of prefixes 2
hub # get router info bgp neighbors 10.10.1.4 received-routes
VRF 0 BGP table version is 7, local router ID is 10.10.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*>i30.30.30.0/24 10.10.1.4 100 0 0 i <-/->
Total number of prefixes 1
Spoke1:
spoke1 # get router info bgp summary
VRF 0 BGP router identifier 10.10.1.3, local AS number 65100
BGP table version is 2
1 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.1.1 4 65100 1988 1992 2 0 0 1d04h47m 2
Total number of neighbors 1
spoke1 # get router info bgp neighbors 10.10.1.1 advertised-routes
VRF 0 BGP table version is 2, local router ID is 10.10.1.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*>i20.20.20.0/24 10.10.1.3 100 32768 0 i <-/->
Total number of prefixes 1
spoke1 # get router info bgp neighbors 10.10.1.1 received-routes
% Inbound soft reconfiguration not enabled
% No prefix for neighbor 10.10.1.1
Spoke2:
spoke2 # get router info bgp summary
VRF 0 BGP router identifier 10.10.1.4, local AS number 65100
BGP table version is 3
1 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.1.1 4 65100 1982 1991 2 0 0 1d04h47m 2
Total number of neighbors 1
spoke2 # get router info bgp neighbors 10.10.1.1 advertised-routes
VRF 0 BGP table version is 3, local router ID is 10.10.1.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*>i30.30.30.0/24 10.10.1.4 100 32768 0 i <-/->
Total number of prefixes 1
spoke2 # get router info bgp neighbors 10.10.1.1 received-routes
% Inbound soft reconfiguration not enabled
% No prefix for neighbor 10.10.1.1
I see that the routes sent from the Hub is not reflected on the spokes. However, the Hub knows about the networks behind both spokes
Hello Islam,
Sorry, I missed your reply.
Did you were able to make this work or are you still having the issue?
Hello @mauromarme ,
I've got it to work in Hub-and-Spoke deployment after I changed the image I was using.
Seems that the FOS Image doesn't pass traffic. I changed to the FGT with trial license, and it worked with me. Time to work on the SD-WAN and see the outcome. It might take some time to work on it.
Hi @balbasorus ,
I've already built the Hub and Spoke using the wizard but for some reason it is not working.
Hi @islam_nadim ,
That was a clear network design.
When you created a VPN on the HUB, there is an options to create a spoke.
Each spoke will have unique code. You just need to apply this code to each spoke respectively.
Do not use same code for all spoke.
Else, you may need to verify interface and BGP configuration and do manual changes.
Hi @Muhammad_Haiqal ,
I've already built the Hub and Spoke using the wizard but for some reason it is not working.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1558 | |
1034 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.