Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
LoueyS
New Contributor II

Created on ‎03-31-2022 04:31 AM

SDWAN Spoke Does not receive all best routes from the HUB via iBGP

Hi everyone,

 

I am working on an SDWAN topology with 1 hub and 3 spokes (Spoke 1, spoke 2, spoke 3) routed via iBGP with the hub as Route reflector server. All spokes are RR clients.

 

The actual issue is that the Hub is advertising all the best routes to the spokes but spoke 2 does not receive the route of spoke 1 and spoke 1 does not receive the route of spoke 2. Spoke 3 receives all the routes and spoke1 and spoke 2 receive the spoke 3 routes.

 

I don't see any route-map or filter on spoke 1 or Spoke 2, I have done a soft bgp clear but still have the same issue. This make ADVPN shortcut never goes up between spoke 1 and 2.

 

have you ever faced the same issue ?

 

Kind regards

Labels:
3604
0 Kudos
1 Solution
akristof
Staff
Staff
In response to LoueyS

Created on ‎04-04-2022 04:52 AM

Hi,

Let's try this. Can you configure on Spoke router-id that will be some other ID, for example IP of the tunnel. I am suspecting that there might be some duplicate router-id withing your AS.

Adrian

View solution in original post

3564
9 REPLIES 9
akristof
Staff
Staff

Created on ‎03-31-2022 11:12 PM

Hello,

 

Thank you for your question. If spoke3 is receiving all routes, then HUB should be doing it's job and the problem should be on spoke1/spoke2. I would first verify configs - if the BGP is same on all devices and if the ipsec tunnel config is the same.

And then verify the BGP and routing-table. I would verify this:

get router info routing-table all

get router info routing-table data

get router info bgp network

get router info bgp neighbor X.X.X.X received-routes (soft-reconfiguration needs to be enabled).

This will at least tell you if spoke is receive route, but maybe not installing it in the routing-table. If you don't see route even received, then enable BGP debug, restart BGP and see:

diag ip router bgp level info

diag ip router bgp nsm enable

diag ip router bgp all enable

diag debug console time en

diag debug en

exec router clear bgp ip x.x.x.x (neighbor ip).

 

And then see if some routes are not suppressed or some other problem.

diag debug disable - to disable debug when you finish

 

Adrian
3546
LoueyS
New Contributor II
In response to akristof

Created on ‎04-04-2022 03:11 AM

Hi Adrian,

 

Thank you so much for your answer. Actually I enabled soft-reconfiguration and find the route in "received-routes" so the spoke is receiving the route from the HUB. The problem is that I don't find any route-map of prefix list that could filter the routes.

 

Have an idea of what the issue can be ?

 

Kind regards

3533
0 Kudos
akristof
Staff
Staff
In response to LoueyS

Created on ‎04-04-2022 03:43 AM

Hi,

 

In that case, check couple of things. I still recommend check routing-table database to see if it is just not the best route. Other then this, run the debug for BGP, bring neighbor down and see if there is some message why routes are not injected into routing-table/bgp table. If you will attach output let me know which route is not in routing-table we can check if there are some hints.

Adrian
3531
LoueyS
New Contributor II
In response to akristof

Created on ‎04-04-2022 04:09 AM

Hi Adrian,

 

I made a debug in spoke 2 with reseting the neighbor  (RR server) and I got this :

LoueyS_0-1649070333165.png

Prefix "spoke 1" path-id 0 denied due to originator is us.

 

I don't understand why he is considering that this prefix carries his own id. 

 

Do you have an idea about that ?

 

I confirm is that route is the best route (indicated in received-routes)

LoueyS_1-1649070548502.png

 

Regards

3529
0 Kudos
akristof
Staff
Staff
In response to LoueyS

Created on ‎04-04-2022 04:27 AM

Hi,


For some reasons Fortigate act like this would not be route-reflector scenario. Can you share with me BGP config from this spoke and from HUB?

Adrian
3528
0 Kudos
LoueyS
New Contributor II
In response to akristof

Created on ‎04-04-2022 04:45 AM

Hi,

 

Here is the bgp config for the spoke :

LoueyS_0-1649072699204.png

and from the HUB :

LoueyS_1-1649072736905.png

 

3524
0 Kudos
akristof
Staff
Staff
In response to LoueyS

Created on ‎04-04-2022 04:52 AM

Hi,

Let's try this. Can you configure on Spoke router-id that will be some other ID, for example IP of the tunnel. I am suspecting that there might be some duplicate router-id withing your AS.

Adrian
3565
LoueyS
New Contributor II
In response to akristof

Created on ‎04-04-2022 05:04 AM

Hi Adrian,

 

I changed the router-id for the spoke it works, I can find the spoke 1 route in the bgp table. Which I don't understand is that no router-id was configured in all the spokes and spoke 3 was receiving all routes. So normally there is no router-id duplication.

 

Thank you for your help !

 

Regards

3520
LoueyS
New Contributor II
In response to akristof

Created on ‎04-04-2022 05:06 AM

Hi Adrian,

 

It works by changing the spoke router-id. I dont understand why because no router-id was configured in the spokes. And spoke 3 was receiving all routes without any problem.

 

Thanks a lot for your help.

 

Regards

3519
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.