Hi,
I'm trying to redistribute OSPF over BGP. The Neighbors are getting the routes but the routes are using wrong recursive next hop IP on one of the sides...
When you look at the routing table on the right side it is using the WAN IP instead of the tunnel IP
DEFLE-FW01 $ get router info routing-table bgp
Routing table for VRF=0
B 10.1.2.0/24 [200/20] via 172.21.1.6 (recursive via ADVPN tunnel "WAN IP"), 01:06:38
B 10.1.3.0/24 [200/20] via 172.21.1.6 (recursive via ADVPN tunnel "WAN IP"), 01:06:38
B 10.1.4.0/24 [200/20] via 172.21.1.6 (recursive via ADVPN tunnel "WAN IP"), 01:06:38
B 10.1.5.0/24 [200/20] via 172.21.1.6 (recursive via ADVPN tunnel "WAN IP"), 01:06:38
B 10.1.6.0/24 [200/20] via 172.21.1.6 (recursive via ADVPN tunnel "WAN IP"), 01:06:38
B 10.1.90.0/24 [200/20] via 172.21.1.6 (recursive via ADVPN tunnel "WAN IP"), 01:06:38
B 10.1.91.0/24 [200/20] via 172.21.1.6 (recursive via ADVPN tunnel "WAN IP"), 01:06:38
B 10.1.91.100/32 [200/0] via 172.30.0.254 (recursive via ADVPN tunnel "WAN IP"), 02:32:12
B 10.1.100.0/24 [200/20] via 172.21.1.6 (recursive via ADVPN tunnel "WAN IP"), 01:06:38
B 172.21.1.0/30 [200/0] via 172.30.0.1 (recursive via ADVPN tunnel "WAN IP"), 02:32:12
B 172.21.1.4/30 [200/0] via 172.30.0.1 (recursive via ADVPN tunnel "WAN IP"), 02:32:12
B 192.168.4.0/24 [200/0] via 172.30.0.1 (recursive via ADVPN tunnel "WAN IP"), 02:27:33
But when you look on the left side everything seems fine
DKAAR-FW01 $ get router info routing-table bgp
Routing table for VRF=0
B 10.2.2.0/24 [200/20] via 172.21.2.2 (recursive via ADVPN tunnel 172.30.0.2), 01:48:55
B 10.2.3.0/24 [200/20] via 172.21.2.2 (recursive via ADVPN tunnel 172.30.0.2), 01:48:55
B 10.2.4.0/24 [200/20] via 172.21.2.2 (recursive via ADVPN tunnel 172.30.0.2), 01:48:55
B 10.2.5.0/24 [200/20] via 172.21.2.2 (recursive via ADVPN tunnel 172.30.0.2), 01:48:55
B 10.2.6.0/24 [200/20] via 172.21.2.2 (recursive via ADVPN tunnel 172.30.0.2), 01:48:55
B 10.2.90.0/24 [200/20] via 172.21.2.2 (recursive via ADVPN tunnel 172.30.0.2), 01:48:55
B 10.2.91.0/24 [200/20] via 172.21.2.2 (recursive via ADVPN tunnel 172.30.0.2), 01:48:55
B 10.2.91.100/32 [200/0] via 172.30.0.1 (recursive is directly connected, ADVPN), 03:21:57
B 10.2.100.0/24 [200/20] via 172.21.2.2 (recursive via ADVPN tunnel 172.30.0.254), 01:48:55
B 172.21.2.0/30 [200/0] via 172.30.0.1 (recursive is directly connected, ADVPN), 03:21:57
If you have idea on how to fix this please let me know.
Both Fortigates are running version 7.0.11
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi all,
I would like to express my gratitude for your assistance in resolving my issue. Your time and support have been greatly appreciated.
Upon reflection, I realized that I neglected to perform a simple ping test between the sites after resetting both Fortigates. Consequently, I am uncertain about the exact cause of the problem. However, I attempted to rectify the situation by implementing static routes instead of relying on OSPF. Surprisingly, everything appears to be functioning correctly, albeit with an incorrect tunnel IP on the recursive route. To my surprise, I successfully executed a ping test. Subsequently, I decided to remove the static routes, and to my amazement, the connection still remains functional. This turn of events has left me perplexed as to why the ADVPN tunnel now exhibits the WAN IP of the HUB instead of the tunnel IP and why it is working. Perhaps it is related to setting the remote Gateway to that address...
Thank you once again for your assistance and understanding.
Hi,
I think you can using the "set next-hop-self-rr enable " inside config neighbor to redistribute the routes from BGP neighbors make them the gateway for this routes. As the routers of BGP peers are directly connected, there is no need to static routes for overlays.
Here follows some information from fortinet:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-modify-BGP-next-hop-for-route-refle...
Hi,
Thanks for the quick reply. Sorry I missed this command in the picture. This I've already configured.
DKAAR-FW01
config neighbor
edit "172.30.0.2"
set next-hop-self-rr enable
set remote-as 65400
set update-source "ADVPN"
set password XXX
set route-reflector-client enable
DEFLE-FW02
config neighbor
edit "172.30.0.1"
set next-hop-self-rr enable
set remote-as 65400
set update-source "ADVPN"
set password XXX
set route-reflector-client enable
On the faulty site can you please check if next -hop is in the routing table and if yes, is it pointing to the VPN?
Hi Demir
Here is the routing-table on the faulty site marked in red is the IP I assume should be the next-hop.
S* 0.0.0.0/0 [5/0] via 10.192.22.1, wan1, [1/0]
B 10.1.2.0/24 [200/20] via 172.21.1.2 (recursive via ADVPN-SPOKE tunnel ###WANIP###), 01:43:43
B 10.1.3.0/24 [200/20] via 172.21.1.2 (recursive via ADVPN-SPOKE tunnel ###WANIP###), 01:43:43
B 10.1.4.0/24 [200/20] via 172.21.1.2 (recursive via ADVPN-SPOKE tunnel ###WANIP###), 01:43:43
B 10.1.5.0/24 [200/20] via 172.21.1.2 (recursive via ADVPN-SPOKE tunnel ###WANIP###), 01:43:43
B 10.1.6.0/24 [200/20] via 172.21.1.2 (recursive via ADVPN-SPOKE tunnel ###WANIP###), 01:43:43
B 10.1.90.0/24 [200/20] via 172.21.1.2 (recursive via ADVPN-SPOKE tunnel ###WANIP###), 01:43:43
B 10.1.91.0/24 [200/20] via 172.21.1.2 (recursive via ADVPN-SPOKE tunnel ###WANIP###), 01:43:43
B 10.1.91.100/32 [200/0] via 172.30.0.254 (recursive via ADVPN-SPOKE tunnel ###WANIP###), 01:49:59
B 10.1.92.0/24 [200/20] via 172.21.1.2 (recursive via ADVPN-SPOKE tunnel ###WANIP###), 01:43:43
B 10.1.100.0/24 [200/20] via 172.21.1.2 (recursive via ADVPN-SPOKE tunnel ###WANIP###), 01:43:43
O E2 10.2.2.0/24 [110/20] via 172.21.2.2, LACP DEFLE-CSW1, 03:17:07
O E2 10.2.3.0/24 [110/20] via 172.21.2.2, LACP DEFLE-CSW1, 03:17:07
O E2 10.2.4.0/24 [110/20] via 172.21.2.2, LACP DEFLE-CSW1, 03:17:07
O E2 10.2.5.0/24 [110/20] via 172.21.2.2, LACP DEFLE-CSW1, 03:17:07
O E2 10.2.6.0/24 [110/20] via 172.21.2.2, LACP DEFLE-CSW1, 03:17:07
O E2 10.2.90.0/24 [110/20] via 172.21.2.2, LACP DEFLE-CSW1, 03:17:07
O E2 10.2.91.0/24 [110/20] via 172.21.2.2, LACP DEFLE-CSW1, 03:17:07
C 10.2.91.100/32 is directly connected, NETMGMT
O E2 10.2.100.0/24 [110/20] via 172.21.2.2, LACP DEFLE-CSW1, 03:17:07
C 10.192.22.0/24 is directly connected, wan1
B 172.21.1.0/30 [200/0] via 172.30.0.254 (recursive via ADVPN-SPOKE tunnel ###WANIP###), 01:49:59
B 172.21.1.4/30 [200/0] via 172.30.0.254 (recursive via ADVPN-SPOKE tunnel ###WANIP###), 01:49:59
C 172.21.2.0/30 is directly connected, LACP DEFLE-CSW1
S 172.30.0.0/24 [5/0] via ADVPN-SPOKE tunnel ###WANIP###, [1/0]
C 172.30.0.1/32 is directly connected, ADVPN-SPOKE
S 172.30.0.254/32 [15/0] via ADVPN-SPOKE tunnel ###WANIP###, [1/0]
O E2 192.168.0.0/24 [110/20] via 172.21.2.2, LACP DEFLE-CSW1, 03:17:07
C 192.168.1.0/24 is directly connected, lan
Hi,
Thank you. Please to also include the configuration of tunnel interface ADVPN-SPOKE.
Command as follows: show system interface ADVPN-SPOKE
Hi Demir,
Here is the output from the command
DEFLE-FW01 $ show system interface ADVPN-SPOKE
config system interface
edit "ADVPN-SPOKE"
set vdom "root"
set ip 172.30.0.1 255.255.255.255
set allowaccess ping ssh
set type tunnel
set remote-ip 172.30.0.254 255.255.255.0
set snmp-index 25
set interface "wan1"
next
end
Hi,
What I see so far is that on the tunnel interface on the Spoke you specify remote-ip
172.30.0.254 255.255.255.0 but this should be the Hub tunnel ip 172.30.0.1/24
Furthermore I did a quick check on Fortigate and this will automatically add in the routing table only 2 routes:
S 172.30.0.0/24 [5/0] via advpn tunnel 172.30.0.1, [1/0]
C 172.30.0.2/32 is directly connected, advpn
I am not sure about this route in your routing table or if you have manually added/changed it:
S 172.30.0.254/32 [15/0] via ADVPN-SPOKE tunnel ###WANIP###, [1/0]
My suggestion would be to change the remote-ip accordingly and disable this route and check the behavior.
Sorry for the Confusion with the Remote IP. When I had o create the VPN again I thought it would be better to have he HUB use the .254 IP instead of .1. The Route you marked in bold should be the right route.
.1 is now SPOKE
.2 Is not used
.254 is now HUB
Hello,
I am not sure if the on right firewall the "WAN IP" means that gateway is resolved incorrectly. I would need to see whole routing-table including output from #diag vpn ike gateway list and from #diag vpn tunnel list. Ideally unredacted. I am not sure if this BGP is between spoke to spoke or between spoke to HUB.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.