Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Possible Routing loop with BGP configuration,
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Possible Routing loop with BGP configuration,
Hi,
I have a pair of 1500D(A/P) connecting to our ISP using BGP and seem to be having some routing issues. We have bizarre reports of emails bouncing, web servers being unreachable for some external parties but not all...
The reason I think it might be some type of routing issue is mostly because if I do a traceroute (on a server I can reach), I actually hit the Firewall (BGP Router ID) twice and then a timeout before I actually reach the final destination. So as an example(using fake IP's) :
Tracing route to 8.8.8.8 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 10.10.10.10 2 <1 ms <1 ms <1 ms 192.168.7.21 3 <1 ms <1 ms <1 ms 192.168.2.2 4 1 ms 1 ms 1 ms 65.28.100.45 5 3 ms 3 ms 3 ms 68.67.63.189 6 7 ms 7 ms 7 ms 68.67.63.251 7 15 ms 7 ms 7 ms 206.108.34.6 8 8 ms 7 ms 7 ms 108.170.250.243 9 21 ms 21 ms 21 ms 216.239.46.162 10 31 ms 31 ms 31 ms 100.100.231.22 -> Fortigate 11 32 ms 31 ms 31 ms 100.100.231.22 -> Fortigate 12 * * * Request timed out. 13 31 ms 31 ms 31 ms 8.8.8.8 -> Final destination
Trace complete.
I hadn't seen this before so I did a bit of research and it seems to be pointing at a routing loop, which would explain some of my issues. I am wondering if anyone using BGP or other routing protocol with a Fortigate, have encountered this type of problem and maybe get some insight on what could cause it. I will open a TAC case, but I wanted to see if anyone had some experience in the matter.
Thanks so much,
Ben
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would look at the bgp-table if possible. I would really guess your problem is really dealing with bgp convergence issues & where 1> where a link does down 2> the updates are not populate as fast as the failure 3>and between al bgp routers betweens point A and Z and ASN#s A thru Z.
So some routers in between let's say two points A & Z , have not the most correct bgp.path information due to the convergence lag. This is not a flaw in bgp, just how it works. It's fast but not 100% fast like OSPF or EIGRP.
just my 2cts ,
[ul]
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ken,
I ran the bgp paths command but other than showing the AS number of my provider, it doesn't show me much, at least that I understand :
Fortigate (root) # get router info bgp paths Address Refcnt Path [0x7fc0c5edc130:0] (24) [0x7fc0c5edbfc8:215] (1) 22652
Currently, although I am configured as an SD-WAN interface to have redundancy, I only have access to one link(provider is physical adding the second fiber in the next weeks). The configuration on the SD-WAN link is to simply weight all to the only available link, but could that cause an issue? I don't see why but I wanted to mention it in case.
I don't see any flapping on my end and last I checked with my provider, it wasn't flapping either, but I do want to get a new ticket open with them so we dig a bit deeper. I am not as familiar with BGP and this is a new configuration with a new provider so it is possible that there is an issue on that end.
As far as the BGP table, that's where I am a bit confused. Here is how the provider is configured.. basically on their end, they allow 0.0.0.0/0 and on my end, I create routes from our owned public subnets. I split it up in /24 routes so to give you an example.
my BGP configuration has networks similar to this:
100.100.224.0/24
100.100.225.0/24
....
100.100.245.0/24
and so on. Initially, I had configured the full /19 that we own, but for some reason, it didn't seem to work properly. Once I switched to /24, all of a sudden, the networks would appear when I used " get router info bgp network" and traffic would flow through. Then I have a static route for each of these /24 going to my internal LAN interface.
where I think my configuration is bizarre, or maybe I simply don't understand, is that if I run "get router info routing-table bgp", I get nothing. If I run "get router info routing-table all" I get of course all my routes "static and connected" but no BGP. The only time I see a BGP route, is when I run "get router info routing-table database".
Would this imply that not seeing BGP routes when running the other commands, that there is something that isn't configured properly, either on the Fortigate side or on the provider side?
Thanks again for all your help Ken,
Ben
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Little update,
finally was able to get in touch with our old provider which still hadn't cleaned properly our subnets from their routes.. meaning that some external clients that actually had them as a provider or even the shortest path would try to go through them and then the traffic would simply die off. It took over a week to get someone from that provider to do the changes. It was like playing whack-a-mole and never getting the right technical person to do the changes.
Thanks,
Ben
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,621 -
FortiClient
1,741 -
5.2
801 -
FortiManager
720 -
5.4
639 -
FortiAnalyzer
552 -
FortiSwitch
470 -
FortiAP
464 -
FortiClient EMS
421 -
6.0
416 -
5.6
362 -
FortiMail
315 -
6.2
251 -
SSL-VPN
236 -
FortiAuthenticator v5.5
234 -
Fortiweb
205 -
IPsec
203 -
5.0
196 -
FortiNAC
186 -
FortiGuard
139 -
6.4
128 -
SD-WAN
113 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiAuthenticator
95 -
FortiToken
89 -
Customer Service
79 -
Firewall policy
78 -
Wireless Controller
77 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
56 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
48 -
FortiExtender
45 -
FortiSandbox
44 -
Routing
44 -
FortiDNS
42 -
DNS
42 -
LDAP
41 -
BGP
40 -
Authentication
37 -
SAML
36 -
FortiGate v5.4
35 -
NAT
35 -
FortiSwitch v6.4
34 -
Certificate
34 -
RADIUS
32 -
SSO
31 -
Interface
31 -
FortiLink
29 -
FortiConnect
28 -
VDOM
28 -
FortiWAN
27 -
Web profile
26 -
FortiConverter
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Automation
14 -
Static route
14 -
System settings
14 -
IP address management - IPAM
14 -
snmp
13 -
FortiCASB
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
FortiManager v4.0
10 -
IPS signature
10 -
Security profile
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Proxy policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiGate-VM
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
TACACS
2 -
Schedule
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1688 | |
| 1087 | |
| 752 | |
| 446 | |
| 227 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.